The Office of the European Data Protection Supervisor remembers that the Data Controller shall notify to data subjects the personal data breach and to the Supervisory Authority when this data breach can represent an high risk for data subjects. The Cybersecurity Center has warned about a critical vulnerability of the Exchange Microsoft Server at the beginning of March. 

The EDPS Office received 28 notices of personal data breaches related to a critical vulnerability into the Exchange Microsoft Mail Server since March. This number is going to increase. 

The Cybersecurity Center has estimated that at the beginning of March the vulnerability was actively exploited and that an organization which uses a vulnerable Exchange Microsoft Mail Server was a victim of data breach. The simple installation of a software update is not sufficient to hold off a hacker. You can read additional information on the advice in the Bulletin of the Cybersecurity Center. 

The personal data security breach shall be reported if personal data have been lost

In the event of a personal data breach, the data controller shall carry out the risk assessment caused by the personal data breach.

In the event of a personal data breach, personal data is destroyed, lost, altered, unauthorizedly disclosed or accessed by an unauthorized person.

A data breach of an email server is likely to represent a high risk to the rights and freedoms of data subjects. Such personal data breach shall be notified to the persons affected without undue delay. The notification to data subjects is specified in Article 34 of the GDPR.

A high-risk personal data breach must be reported to the supervisory authority, i.e. the Office of the Data Protection Ombudsman. The data controller is responsible for making the notification. The personal data breach shall be notified without undue delay and, where possible, within 72 hours after the breach has been detected. A high-risk security breach shall also be documented.

SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELLA FINLANDIA