- The document aims to guide data controllers in their obligation to notify to Supervisory Authorities and to communicate data subject.
- Notification and communications of breaches that refers to personal data are part of the proactive responsibility established into the GDPR.
- The agency has managed about 700 notification of data breaches reported in 2021, the majority of them are caused by external and intentional attacks, with the ransomware as the most frequent threat.
The Spanish Data Protection Agency (AEPD=) has published today an update on its “Guideline for the notification of personal data breaches”, a documents which aims to guide data controllers in their obligation to notify breaches to Supervisory Auhtority and communicate it to data subjects.
This update guideline updates the guidelines published in 2018, when the General Data Protection Regulation (GDPR) has started to be applied, and includes the experience recollected in this period, both with the national level and with criteria’s established by the European Data Protection Board.
The main purpose of this update is to facilitate an efficient compliance with final purposes of the notifications of personal data breaches: the efficient protection of rights and freedoms of individuals, the creation of a more resilient environment based on the acknowledge of the vulnerability of the organization and the guarantee of the rule of law, by providing to data controllers a way to demonstrate the diligence while fulfilling their obligations.
Any organization is exposed to a personal data security breach which shall have an impact on rights and freedoms of individuals, and it is obliged to manage in an appropriate way. This accident shall be originated by an accidental way or intentional and usually is translated into the destruction, loss, alteration, communication or the unauthorized access to personal data. The guideline starts to analyze what is a breach of personal data and what it is not in the context of the European, national and sectorial legal framework. Then it debates when a breach shall be notified to the Supervisory Authority, in which period of time, or from who and which content shall include this notification. Talking about the communication to data subjects, the documents establishes those cases in which shall be carried out, the content and expiring dates.
Notifications and communications concerning breaches which regard personal data are parts of the proactive responsibility established into the GDPR, and the idea to notify or communicate does not imply the imposition of a sanction. Doing it in a timely way is a proof of the diligence of the organization, meanwhile the lack of the respect of this obligation is classified like a breach.
The Guidelines offers other guidelines for facilitating and simplifying the respect of those obligation and, among other points, provides settings on how some deadlines that the GDPR left as open, such as the notification of a personal data breach to the supervisory authority in a phased manner, the time limits for communicating it to the persons whose data have been affected or for processors to inform the controllers when a gap occurs.
The Agency has managed more than 700 reported data gaps in the first five months of 2021. Most of them have been caused by an external and intentional attack, with ransomware being the most frequent threat, compromising not only the availability but also the confidentiality of personal data.
Communications to data subjects
As a complement to this Guide, the Agency has a tool called “Communicates-Gap GDPR”, which helps organizations to decide whether or not to report a data gap to affected people, a separate obligation to notify the supervisory authority of such a breach.
This resource is based on a short form that collects details allowing for the application of basic criteria indicative of the risk associated with the gap. When completing the form, and depending on the information that has been provided, the tool will advise on three possible scenarios: that the security breach must be notified to the persons concerned when a high risk is assessed; that such communication is not necessary, or that the level of risk cannot be determined. The final decision must be made by the person responsible according to the specific aspects of the treatment and the specific gap. In no case does the Agency store the data recorded during the process.
SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELLA SPAGNA – AEPD