Notification of a personal data breach to the supervisory authority
If a personal data breach has occurred, the controller shall notify it to the supervisory authority competent under Article 55 without unreasonable delay and, if possible, not later than 72 hours after having become aware of it, unless the personal data breach is not likely to present a risk to the rights and freedoms of natural persons. If the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by a justification for the delay.
The processor shall inform the controller without unreasonable delay as soon as it becomes aware of a personal data breach.
The notification referred to in paragraph 1 shall describe or communicate at least the following:
the nature of the personal data breach, specifying where possible the categories of data subjects and personal data records concerned and, approximately, the number of data subjects and personal data records concerned;
The name and contact details of the data protection officer or other contact point where more information can be obtained;
the probable consequences of the personal data breach;
the measures proposed or taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate any adverse effects.
If and to the extent that it is not possible to provide all information simultaneously, the information may be provided in increments without unreasonable delay.
The controller shall document all personal data breaches, including the facts surrounding the personal data breach, its consequences and the remedial measures taken. Such documentation shall enable the supervisory authority to verify compliance with this Article.
