Background Duty to Report Data Breaches

The predecessor of the AVG, the Privacy Directive, did not contain an obligation to report data breaches. implemented did not initially contain that obligation. In anticipation of the implementation of the AVG, the obligation to report data breaches was included in the Wbp in 2016. With the advent of the AVG - and the expiration of the Wbp - data breaches must be reported under Art. 33 and 34 AVG.

What is a data breach?

The AVG does not use the term "data breach. Instead, that speaks of a 'personal data breach'. Art. 4(12) AVG defines this as: 'a breach of security leading to the accidental or unlawful destruction, loss, alteration or unauthorized disclosure of, or unauthorized access to, transmitted, stored or otherwise processed data'. In practice and also by the Personal Data Authority (AP), the term "data breach" is used as a synonym for the "personal data breach" described above.

Specifically, what does that mean?

A data breach is a breach that occurs on the security of personal data within an organization.

This can take different forms. Well-known examples of a data breach are cyberattacks on an organization, for example using ransomware, in which data from the organization is also often stolen by the attackers, or the hacking of an organization's e-mail account(Business Email Compromise). But a data breach can also occur internally within the organization, for example, by sending a newsletter with all recipients in the "To" field instead of the "BCC," or when employees of an organization access files containing personal data where they do not need to do so for their jobs.

There is a data breach, now what?

The AVG has two reporting obligations. First, an obligation on the data controller to report to the regulator - the AP. In certain cases, a data controller must also report the data breach to the individuals whose personal data are involved in the data breach. These reporting obligations are described in more detail below.

If the organization where the data breach occurred is not a controller of the affected personal data, but a processor, then it must report the data breach without unreasonable delay report the data breach to the controller, see Art. 33(2) AVG. There is no obligation on the processor to report to the supervisor or the data subjects. In the processing agreement between the processor and the controller, agreements are made about this. This is mandatory based on Art. 28 (3) (f) AVG. Often a term is contractually agreed upon within which the processor must notify the controller of the data breach, sometimes already within 24 hours. Processors do well to keep this deadline in mind!

For more information on the relationship between controller and processing, see topic file AVG: accountability

Duty to report to the Personal Data Authority

Pursuant to Art. 33(1) AVG, controllers must report a data breach to the regulator without unreasonable delay and at the latest within 72 hours after the controller learns of the data breach. This obligation is included as a "yes, unless": data breaches must be reported to the AP unless it is unlikely that the data breach will poses a risk poses a risk to the rights and freedoms of data subjects (the individuals whose personal data has been affected by the data breach).

A data controller can become aware of a data breach in a number of ways. Of course, it can be through its own discovery, for example, because the systems stop working on Monday morning and a message from cybercriminals (a "ransom note") is found on the computers. In addition, the controller may become aware of a data breach because the data breach is reported by a processor, or by another external party, such as a data subject or an (ethical) hacker.

Notification of the data breach to the AP must be made using the online form. Sometimes within the 72-hour notification period not all the information that needs to be provided to the regulator is yet known. In that case, a provisional notification can be made with the available information. The provisional notification must generally be followed up within 4 weeks.

Duty to notify data subjects

If a data breach must be compulsorily reported to the AP under Art. 33 AVG, then it is possible that the data subjects must also be notified of the data breach. This duty to notify data subjects is described in Art. 34 AVG. Paragraph 1 of that article provides that if the breach is "likely to present a high risk to the rights and freedoms of natural persons," the controller must notify the data subject of the data breach without delay.

When, specifically, a high risk exists is not explained in the AVG. The Article 29 Working Party, the collaborative body of European privacy supervisors, now the European Data Protection Board, has drafted guidelines to further specify the duty to notify the supervisor and data subjects.

A notification to the data subject can be omitted in the three cases (see Art. 34(3) AVG):

• The data was unintelligible to unauthorized persons (encryption);
• After the data breach, measures have been taken that make a high risk unlikely to recur; or
• Notification to those affected would require a disproportionate effort. The individual notification may in that case be replaced by a general notification, for example on the website of the affected organization.

For notification of data subjects, the AVG does not set a concrete deadline, it only states that notification must be made "without delay.

For more information on data subjects' rights see topic file AVG: data subjects' rights

Administrative fine

The AP can impose an administrative fine for data breaches that are not reported or reported late. Also, if a data breach is the result of insufficient security measures, this may result in a fine. It follows from Article 83(4) AVG that the AP can impose a fine of up to 10 million euros, or two percent of an organization's worldwide annual turnover, for violation of (among other things) the data breach notification obligation.

Further learning

Data breach course: preparing, recognizing and responding

Information Security Awareness Course