Article 33a (data breach notification)

• 1

  The controller shall report a security breach to the Autoriteit persoonsgegevens Authority without delay and at the latest within 72 hours of becoming aware of it, unless the breach is not likely to present a risk to the rights and freedoms of individuals. In case the notification is made after 72 hours, it shall be accompanied by a justification for the delay.

• 2

  The notification referred to in the first paragraph shall contain at least the following information:

  • a.

    a description of the nature and extent of the breach referred to in the first paragraph, including, where possible, the categories of data subjects and data records and, by approximation, the number of data subjects and data records;

  • b.

    communication of the name and contact details of the data protection officer or other contact point where more information can be obtained;

  • c.

    A description of the probable consequences of the breach referred to in the first paragraph;

  • d.

    a description of the measures proposed or implemented to terminate the breach referred to in paragraph 1 and, where appropriate, the measures taken to mitigate any adverse effects.

• 3

  To the extent that it is not possible to provide the information referred to in the second paragraph simultaneously, it may be provided in stages without undue delay.

• 4

  The controller shall notify, without undue delay, a breach of security of police data transmitted by or to a controller of another Member State to the controller of that Member State.

• 5

  The controller shall notify a security breach to data subjects if the breach is likely to result in a high risk to the rights and freedoms of individuals. The notification shall contain a description of the nature of the security breach and at least the information referred to in paragraph 2, subparagraphs b, c and d.

• 6

  The communication to those concerned referred to in paragraph 5 is not required when:

  • a.

    the controller has implemented appropriate technical and organizational protection measures and these measures have been applied to the police data affected by the breach referred to in the first paragraph;

  • b.

    the controller has taken measures to ensure that the high risk referred to in paragraph 5 is unlikely to recur, or

  • c.

    communication would require a disproportionate effort. In that case, a public notice or similar measure that informs data subjects as effectively will follow.

• 7

  Communication to the person concerned may be delayed, limited or omitted on the grounds referred to in Article 27, paragraph 2.