Duty to report data breaches under the General Data Protection Regulation

What exactly is a data breach?

The AVG defines a data breach as a security breach that accidentally or unlawfully results in the destruction, loss, alteration or unauthorized disclosure of, or unauthorized access to, personal data transmitted, stored or otherwise processed. The key here is that it must be a security incident involving personal data. If no personal data are involved, then there is no data breach as referred to in the AVG.

The Article 29 Working Party - the working group to which the European privacy regulators belong - gave some examples of data breaches in its recent opinion on the data breach notification obligation under the AVG. Data breaches can include a situation where a laptop or USB stick containing personal data is lost or stolen, or a situation where a hacker gains access to a computer containing personal data or where such a computer is encrypted as a result of ransomware. In its opinion, the Article 29 Working Party also indicates that the temporary unavailability of personal data should be considered a data breach unless the unavailability is due to scheduled maintenance.

The latter appears to be an extension of the description of a data breach under the Wbp. The Wbp refers to a data breach as referred to in Article 13 of the Wbp. This article requires a responsible party (the party that determines the purpose and means of processing) to implement appropriate and organizational measures to secure personal data against loss or any form of unlawful processing. In its policy rules on the data breach notification obligation, the Autoriteit Persoonsgegevens (AP) explained that there is a data breach if personal data has been lost in a security incident or unlawful processing of personal data cannot reasonably be ruled out. To that extent, a data breach under the Wbp relates above all to loss or other unlawful processing of personal data rather than the unavailability of personal data (assuming that the data has not been lost or otherwise unlawfully processed).

When should a data breach be reported?

Under the AVG - as now under the PDPA - it is not the case that every data breach must be reported to the Autoriteit Persoonsgegevens (AP) and data subjects (the individuals to whom the personal data relates). The data controller must report a data breach to the AP without unreasonable delay (and no later than 72 hours after becoming aware of it), unless the data breach is unlikely to pose a risk to the rights and freedoms of natural persons. Reporting can be done through the reporting program on the AP's website.

In its recent opinion, the Article 29 Working Party indicates that the latter can occur, for example, if personal data are encrypted in such a way that unauthorized persons cannot gain knowledge of them and the controller still has the personal data at its disposal (e.g. via backups). With regard to the 72-hour period, the Article 29 Working Party notes that a data controller may, in itself, conduct a short period of investigation to determine whether or not a data breach has occurred. During this short period, the 72-hour period will not yet begin to run. However, once it can be reasonably determined that a data breach has occurred, the period will begin to run.

Under the AVG, data subjects must be notified without delay if the data breach is likely to pose a high risk to the rights and freedoms of natural persons. In doing so, the AVG lists three situations in which notification of data subjects is not required, however:

• the controller has taken appropriate technical and organizational protective measures and these measures have been applied to the personal data to which the data breach relates. Consideration can be given to encryption making personal data unreadable to unauthorized persons.

• the controller has taken subsequent measures to ensure that the high risk to the rights and freedoms of data subjects is unlikely to recur.

• direct notification of data subjects would require disproportionate effort (for example, because the controller does not have the necessary contact information). Instead, the controller should make a public announcement or take a similar measure whereby data subjects are informed equally effectively.

The data breach notification obligation under the AVG requires a different test than under the Wbp. The Wbp talks about data leaks that lead to (the significant chance of) serious adverse consequences for the protection of personal data (for reporting to the AP) and about data leaks that are likely to have adverse consequences for the privacy of data subjects (for reporting to data subjects). Thus, under the AVG there is more likely to be a situation where reporting would be required, now that a lower threshold is applied.

Incidentally, a data controller must keep a record of all data leaks, including data leaks that do not have to be reported to the AP and those involved. It is therefore important that the data controller uses a procedure within the organization so that a data leak can be registered and it can also be assessed in good time whether or not the data leak must be reported to the AP and those involved. It is also important to take into account that data breaches that do not need to be reported initially may need to be reported in the future (for example, because the security will have become obsolete). From time to time, a data controller will need to consider whether this is the case with respect to previous unreported data breaches.

What is the role of a processor?

In practice, it frequently happens that a data controller engages a processor to carry out a particular processing operation (think hosting, payroll or absence management). The AVG provides that the processing by a processor is regulated in a contract or other legal act that binds the processor to the controller: the so-called processor's agreement. Among other things, this should regulate that the processor - taking into account the nature of the processing and the information available to him - provides assistance to the controller in complying with the data breach notification obligation. In this regard, the AVG stipulates that the processor shall inform the controller without unreasonable delay as soon as it becomes aware of a data breach.

The Article 29 Working Party explains in its opinion that a processor does not need to assess whether a data breach may need to be reported to the AP and data subjects. This is something the data controller should do as soon as it becomes aware of a data breach. The processor should only determine whether there is a data breach and then notify the controller without delay. In practice, we regularly see processors stipulate that they only have to notify the controller of data breaches that must be reported to the AP and/or data subjects. However, this is not in line with the AVG. On the basis of the AVG, a processor must actually notify the controller of all data breaches, including those that do not have to be reported (see Article 33(2) AVG).

According to the Article 29 Working Party, once a data controller has been notified by the processor about a data breach, the controller is then deemed to have knowledge of a data breach (and thus the deadline for notifying the data breach commences). Since the AVG does not expressly set a deadline for a processor to notify a controller of a data breach, the Article 29 Working Party recommends that the processor notify the controller of a data breach without delay and provide any further information about a data breach later. It is advisable to make arrangements for this in the processor agreement.

This article can also be found in the Data Breach file