In this article, we would like to introduce Guidelines 9/2022 on personal data breach notification under GDPR, which was adopted 28 March 2023. The Guidelines 9/2022 on personal data breach notification under GDPR is a slightly updated version of relevant previous guidelines. It has been adapted due to the need to clarify the notification requirements concerning personal data breaches at non-EU establishments. The current Guidelines explain the mandatory breach notification and communication requirements of the GDPR and some of the steps controllers and processors may take to fulfil these obligations. They also give examples of various types of breaches and of who shall be notified in different scenarios.

1. Security

The main requirement of the GDPR is to take appropriate measures to protect personal data from unauthorised or unlawful processing, as well as from accidental loss, destruction, or damage thereof. The purpose of this provision is to prevent and, if a breach occurs, to respond to it promptly. Selection of appropriate security measures, the state of the art, costs of implementation, and the nature, scope, context, and purpose of the processing should all be taken into account.

2. Breach of personal data protection

The GDPR defines a “personal data breach” as a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed. The main criterion for this definition is authorised control over personal information. That is, if an authorised person loses control over certain information, these actions or events are recognised as a breach, regardless of the fault of the person concerned.

The GDPR distinguishes the following forms of loss of control:

  • Destruction – the personal data no longer exists (cannot be controlled by any person);
  • Damage – the personal data has been altered, corrupted, or is no longer complete;
  • Loss – the personal data still exists, but the controller has lost control of or access to it;
  • Unauthorised or unlawful processing – the personal data is accessible to recipients who are not authorised to receive (or access) it

3. Types of personal data breaches

It is important to note that in the case of qualifying a breach of the GDPR requirements, the types of breaches are not mutually exclusive and can be applied simultaneously in one episode of a breach of the requirements.

  • Confidentiality breach – when an unauthorised or accidental disclosure of, or access to personal data occurs;
  • Integrity breach – in case of an unauthorised or accidental alteration of personal data;
  • Availability breach – when an accidental or unauthorised loss of access to, or destruction of, personal data occurs. A loss of availability includes data that has been deleted either accidentally or by an unauthorised person.
  • Temporary loss of availability—a violation of the GDPR is recognised regardless of the form of fault. The criterion for distinguishing between temporary and permanent loss of access is “the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident”. This criterion should be ensured objectively by applying the measures discussed above.

The GDPR establishes an exception to the loss of temporary access in the case of planned system maintenance. At the same time, if a temporary loss of access to information has turned into a permanent loss or destruction of information, such a temporary loss of access should be documented. In addition,  the controller will need to notify the affected individuals and supervisory authority unless the breach is unlikely to result in a risk to individuals’ rights and freedoms in accordance with Article 33 of the GDPR.

4. Consequences of a personal data breach

The GDPR regulates that such breach may include a loss of control over personal data, limitation of rights, discrimination, identity theft or fraud, etc. Therefore, in the event that potential adverse effects may occur for the person whose information was stored, the GDPR requires the controller to notify a competent supervisory authority of the breach unless it is unlikely to result in a risk of such adverse effects taking place. If such a risk is high, the GDPR requires the controller to notify the affected individuals as soon as reasonably feasible.

If the controller fails to notify the supervisory authority or data subjects of a data breach or both, even though a personal data breach has occurred with the likelihood or high probability of negative consequences for the person whose information was stored, the supervisory authority is entitled to impose a data protection fine of up to EUR 10,000,000 or up to 2 per cent of the total worldwide annual turnover of an undertaking.

If several types of breaches occurred within the same incident, the supervisory authority is able to apply the administrative fines at a level that is effective, proportionate, and dissuasive within the limit of the gravest offence. If a controller fails to take all appropriate measures described above to preserve information, resulting in adverse consequences for interested parties, the supervisory authority is able to impose sanctions for these two episodes, even though they result in the same consequence.

5. Notification to the supervisory authority

The obligation to report a personal data breach to the authorised body must be fulfilled within 72 hours from the moment when the controller became “aware” of the breach. The EDPB considers that a controller should be regarded as having become “aware” when that controller has a reasonable degree of certainty that a security incident has occurred which resulted in personal data being compromised.

At the same time, according to the GDPR, the controller must implement appropriate technical protection and organizational measures to establish the possible occurance of a breach and to notify the affected data subjects and supervisory authority promptly. Therefore, the burden of being “aware” is on the controller. The controller is also given a “short period of time” to verify a potential personal data breach after being notified that such a breach may have occurred. During this time, the controller is not considered “aware”, and the 72-hour period starts from the moment of certainty about such an event. Once the controller has obtained a reasonable degree of certainty that a breach has occurred, the controller must confirm that the breach has had a negative impact. If so, the controller must notify the authorised supervisory authority.

6. Joint controllers

If one information or storage resource is under the control of two or more controllers, Article 26 of the GDPR gives these entities discretion to allocate the authority to comply with the requirements of Articles 33 and 34 of the GDPR. In other words, the controllers must determine who will be authorised to verify access to personal information and notify the authorised supervisory body.

7. Information processor

The processor has an important role to play in enabling the controller to fulfil its obligations, and this includes reporting breaches. If a processor becomes aware of a breach of the personal data it processes on behalf of the controller, it must notify the controller “without undue delay”.

If the processor becomes aware of a personal data breach, the burden of verifying the authenticity of the breach lies with the processor, not the controller. The controller should be considered “aware” once the processor has informed it of the breach.

The GDPR does not set a time limit for the processor to alert the controller of the breach, but the 72-hour time limit for the controller to notify the competent authority should be taken into account. The contractual basis between the controller and the processor may detail the application of the GDPR provisions; for example, it may include requirements for early notification by the processor that in turn support the controller’s obligations to report to the supervisory authority within 72 hours.

8. Notification to a supervisory authority

In the event of the circumstances described above, the controller should contact the supervisory authority with the following information:

  1. A description of the information, including, where possible, the categories and approximate number of data subjects concerned;
  2. Describe the likely consequences of the breach;
  3. Describe the measures that were implemented to prevent the breach and after the breach.

A general exception to the 72-hour deadline is when it is objectively impossible to provide the information. The GDPR stipulates that controllers will not always be able to provide the full scope of information. In this case, the controller must report all available information to the competent supervisory authority and provide an estimate of how long it will take for the information that is not available to be put forth.

9. Communication with the data subjects

If the controller becomes aware that a personal information breach has occurred, the affected individuals must be notified. Such contact should be made directly with the affected person as soon as reasonably possible. The rules for notification and the context of the information provided are similar to the rules for notification of competent regulatory authorities. Controllers may therefore wish to contact and consult the supervisory authority, not only to seek advice on informing data subjects about a breach under Article 34, but also on the appropriate messages to be sent to, and the most appropriate way to contact, individuals.

In contrast, notification of individuals is not required if:

  1. The controller has applied appropriate technical and organisational measures to protect personal data before the breach;
  1. Immediately following a breach, the controller has taken steps to ensure that the high risk posed to individuals’ rights and freedoms is no longer likely to materialise;
  1. It would involve disproportionate effort to contact individuals, perhaps where their contact details have been lost as a result of the breach or are not known in the first place.

The risk of causing negative consequences to the person for whom the information is stored should be assessed based on:

  1. The type of information;
  2. The nature, sensitivity, and volume of personal data;
  3. Ease of identification of individuals;
  4. Severity of consequences for individuals;
  5. The number and characteristics of affected individuals

Do you have a question about data protection or the position of Data Protection Officer? Contact me!

Dr. Miklós Péter – GDPR lawyer dmp@dmp.hu / +36306485521

This website is maintained by Dr. Miklós Péter Ákos, attorney at law registered in the Budapest Bar Association (registered office: 1028 Budapest, Piszke utca 14., tax number: 42982117-2-41, BAR ID number: 36079442) in accordance with the laws and internal regulations applicable to lawyers, which, together with information on client rights, is accessible at www.magyarugyvedikamara.hu. The blog posts and articles on the website do not constitute specific legal advice, an offer or a solicitation. It is intended to inform the website visitors about the areas of expertise of Dr. Miklós Péter Ákos attorney at law. The website has been prepared in accordance with the Hungarian Bar Association (MÜK) Presidium's Resolution No. 2/2001 (IX.3.) on the "Content of the website of the Hungarian Bar Association" and with the provisions of Chapter 10 of the MÜK's Rules of Procedure No. 6/2018 (26.III.). Legal notice​

Web: ZK DESIGN - Ügyvédhonlap