After the fire which took place on the 10^th of March 2021 in a datacenter of Strasburg, the CNIL recalls the obligations concerning the notifications of breaches in case of unavailability or destruction of personal data.

The destruction of personal data (temporally or permanent), also accidentally, means a personal data breach according to the GDPR.

For this reason, the data processors that have hosted personal data inside of interested infrastructures shall document the breach (events, effects and measures implemented in order to remedy) in an interior register.

Data processors shall inform their clients of what is going on in order that they can comply with their aims, including those one of documenting the register which is held by each of them.

Cases in which the notification is not necessary

The notification to CNIL and the communication to individuals in not necessary if the consequences are still limited for individuals. For this reason, is not necessary to inform the CNIL:

• if the implementation of a business recovery plan (BRP) or a business continuity plan (BPC) has ensured the service continuity; or
• if personal data have been restored from backups, without significant consequences for people (for example: consequences are limited to the inability to make an order for some hours).

When is necessary the notification

From the other hand, it is necessary a notification to the CNIL:

• if personal data are taken in a permanent way; or
• if they are not available for a time which is long enough to create a risk for people.

In addition, if the breach can create high risks for people, even when those one must be informed directly by data controllers.

The risks level is assessed in particular by keeping in mind the type of data involved and the potential consequences of the breach (for example, it is probably that the permanent lack of health data of a patient involves an high risk).

The CNIL mission is to receive notifications of data breaches and offer advices on communications to affected people but it does not provide assistance or repair services for computer security incidents.

SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELLA FRANCIA – CNIL