Notification of a personal data breach to the data subject
Where the personal data breach is likely to present a high risk to the rights and freedoms of natural persons, the controller shall notify the data subject of the personal data breach without delay.
The communication to the data subject referred to in paragraph 1 of this Article shall contain a description, in clear and simple language, of the nature of the personal data breach and at least the information and measures referred to in Article 33(3)(b), (c) and (d).
The notification to the individual referred to in paragraph 1 is not required when one of the following conditions is met:
the controller has implemented appropriate technical and organizational protection measures and these measures have been applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to unauthorized persons, such as encryption;
the controller has taken subsequent measures to ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is unlikely to recur;
the communication would require disproportionate efforts. In that case, a public notice or similar measure would be substituted whereby data subjects would be informed as effectively.
If the controller has not yet notified the personal data breach to the data subject, the supervisory authority may, after considering the likelihood that the personal data breach poses a high risk, require the controller to do so or decide that one of the conditions referred to in paragraph 3 has been met.
