The Agency has updated the form which permits to data controller to fulfil the obligation to report some gaps. This new system simplifies the notification of some personal data gaps by guiding data controllers with concrete questions, in order that they shall be aware of points that shall be processed into this system.
The new form facilitates also the gradual notification of personal data gaps, by establishing two types of notifications: new or modification of a previous notification, this last one for cases in which not all the relevant information are available within 72 hours required by the General Data Protection Regulation. Regarding the execution of a new notification, the system permits to data controller to carry out a new notification with relevant information without providing additional documents in this moment, because where appropriate, the Agency shall ask the necessary information.
The Agency uses a communication channel with data controllers by the enable electronic address. Data controllers receives both communications with information on the personal data breach status or both any other type of notification.
The notification to the Supervisory Authority of a personal data breach is part of the proactive responsibility required into the GDPR and the notification does not imply the begin of an administrative processing. Actually, the notification in time is a proof of diligence of the organization, meanwhile the lack of the respect of this obligation is classified as a breach.
This new form for the notification to the Personal Data Protection Agency is added to the instrument “Comunica-Brecha RGPD”, which helps companies and organization to decide if communicate or not a personal data breach to data subjects.
guia-brechas-seguridad (2)SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELLA SPAGNA – AEPD