Data Protection Violation: When do I have to report it?
picture from dongni wang of Pixabay
Data protection is a consistently relevant and omnipresent topic in times of the GDPR. It is widely known that data protection must be taken seriously and that a data protection violation can result in high fines. And yet violations occur regularly, including in the context of the obligation to report personal data violations (“data breaches”). Whether this is due to a lack of awareness on the part of employees or to inadequate internal company responsibilities and reporting processes, personal data breaches must be reported to the competent supervisory authority without delay in accordance with Art. 33 para. 1 GDPR. If there is even the possibility of a high risk to the personal rights and freedoms of data subjects, they must be notified of the breach in accordance with Art. 34 para. 1 GDPR.
Which breaches do you have to report? Under what circumstances does the reporting obligation not apply? What can you expect in the event of a breach of the reporting obligation? Find out in the following article.
What constitutes as a data protection violation?
Firstly, the question of when a data breach or a violation of the protection of personal data occurs. The answer:
In principle, any security breach that leads to the loss, alteration or unauthorised disclosure of personal data. It does not matter whether this is intentional or not. Frequently recurring case groups here are hacker attacks on the company’s IT systems, the inadequate disposal of data carriers, the loss of data carriers due to carelessness or theft or the misuse of access rights by employees.
Obligation to report data protection violations
Whether a reporting obligation or even a notification obligation exists is assessed according to a risk-based approach. If a data breach is unlikely to result in a risk to the rights or freedoms of the natural persons concerned, there is no need to report or notify.
If a risk cannot be ruled out or can only be assessed as “low”, a distinction is made between “high” and “medium” risks. This prognosis decision has an impact on whether the violation of data protection must only be reported or whether there is an additional obligation to notify the data subjects. Notification of the data subjects is therefore not necessary for every potential breach. Whether it is necessary depends on the probability of occurrence and severity of future disadvantages for the data subjects or the severity of disadvantages that have already occurred. If the disadvantage and/or probability of occurrence exceed a substantial level, the result of the risk assessment will generally be a high risk.
A helpful rule of thumb for an initial assessment based on the actual circumstances in this context could be: “In the event of notification, is it possible for those affected to take measures to minimise their risk?”, e.g. by changing passwords for compromised online accounts or by blocking credit cards in the event of theft of credit card data. If there is such an option for action, a notification obligation must be assumed in case of doubt. The number of data records affected, the characteristics of the persons affected and the type, sensitivity and scope of the personal data affected by the data breach can also provide an initial basis for assessing the risk before the actual risk analysis is carried out. For example, a breach of the security of special personal data within the meaning of Art. 9 GDPR (e.g. health data) will lead to a higher risk in comparison.
Formal Requirements
In the event of a data breach, the controller is obliged to notify the competent supervisory authorities immediately and, if possible, within 72 hours of becoming aware of the incident. If it is not possible to meet this 72-hour deadline, a reasoned explanation for the delay in reporting to the authorities must be included. Citing organisational problems will not normally be sufficient excuse for the supervisory authorities to exceed the 72-hour deadline. Public holidays and weekends are also not excluded from the deadline calculation. Data protection breaches therefore cannot be delayed and must be processed with the highest priority.
In order to handle data breaches effectively, it is first important to raise employee awareness. They must be able to recognise data breaches and violations so that they do not go unnoticed and are possibly only discovered by external parties such as customers, partners or the media. It is also crucial to define clear responsibilities. This allows the necessary measures to be taken quickly if a data breach is detected in order to minimise the extent and consequences of the incident. It is also necessary to develop and implement a reporting process. Such a process ensures that data breaches are immediately reported internally and handled correctly. It makes it possible to decide quickly whether a report is necessary and what information needs to be passed on.
picture from Pexels of Pixabay_2
Content requirements for the notification of data protection violations
The content requirements for notifications of a data protection violation to the supervisory authority are governed by Art. 33 (3) GDPR.
Firstly, the law requires information on the type of breach and an estimate of the number of data subjects and data records at risk. In addition, if available, the responsible data protection officer must be named so that he or she can be contacted by the supervisory authority for further information. Thirdly, the regulations require a categorisation of the likely consequences of the infringement. However, it is not only the description of the damage that is relevant. The notification must also show how the B2B company will respond to the data breach and how it will combat the potential damage.
Consequences of a data protection violation
After a notification is received, the reported data protection violation and the associated risks are reviewed. The supervisory authority may now advise further measures to minimise risks and improve technical and organisational measures.
With regard to the reporting and notification obligations pursuant to Art. 33 and 34 GDPR, there is a system of fines. Infringements are punishable by fines of up to 10,000,000 euros or 2% of the global annual turnover of the previous financial year. This depends on which amount is higher. In view of the risk of fines, the need for a functioning data protection violation reporting strategy for B2B companies can only be emphasised.
Conclusion
In conclusion, it can be said that the correct handling of data protection violations is essential for B2B companies. The GDPR provides a clear framework on how to deal with such violations and threatens strict sanctions for non-compliance. Companies must therefore exercise a high degree of responsibility and caution. In doing so, they minimise potential risks to the personal data of data subjects while fulfilling their own legal obligations.
picture from krystianwin of Pixabay
The implementation of effective training and awareness-raising for employees, the establishment of clear responsibilities and the development of a structured reporting process are key elements in effectively managing data breaches. In addition, it is important that organisations maintain a clear line of communication with the relevant supervisory authorities and provide all necessary information in accordance with legal requirements.
Data protection is not only a legal obligation, but also an essential aspect of trust between companies and customers. A proactive approach to data protection and transparent handling of data breaches can enhance a company’s reputation and contribute to long-term success. Given the significant fines and potential reputational risks associated with data protection violations, it is imperative that organisations maintain the highest standards in these areas.
If you have any questions, please contact our Munich lawyers at LLP Law|Patent. At LLP Law|Patent, we can help B2B companies optimise their data protection practices and minimise legal risks.
Richard Metz | Rechtsanwalt (Lawyer), Authorized External Data Protection Officer (TÜV Certified)
Mr. Metz is your point of contact for legal issues concerning data protection. He will support you, in particular, with the appropriate data protection when introducing new products, with the preparation and examination of the appropriate data protection of contracts and documents or the legal examination and evaluation of data processing procedures or cross-border data protection issues. A further focus of his work is on copyright law and competition law.
Mr. Metz is also an external data protection officer (TÜV-certified) for nationally and internationally operating medium-sized IT companies and start-ups.
