Data Breaches: How to comply and meet the Deadline
A data breach requires quick action: Is an incident reportable? What is the reporting deadline? How does the notification work and what should it contain? We will answer all your questions and provide you with a step-by-step guide to reporting data breaches. We can help you report, communicate with regulators and prevent future incidents. Arrange a no-obligation initial consultation now!
What is a data breach?
A data breach occurs when the security of personal data is breached in such a way that personal data that has been transmitted, stored or otherwise processed is unintentionally or unlawfully altered or destroyed, lost, disclosed or made available to unauthorised persons. This may occur, for example, as a result of technical failures, human error or targeted attacks such as hacking or phishing attacks. Data protection incidents can occur in a wide variety of forms and constellations and require detailed investigation to determine the extent of the incident and whether there are any reporting obligations to supervisory authorities, data subjects and/or contractors.
When is a data breach reportable?
The first requirement is therefore that the security of the data has been breached - not every data breach is a data protection incident. If this security breach also leads to one or more of the above-mentioned infringements (e.g. unauthorised disclosure), it is a data protection incident. According to Article 33 of the GDPR, a data protection incident must always be reported to the competent data protection supervisory authority. Only in exceptional cases can this be waived.
When does a data breach not need to be reported?
The only exception to the notification requirement is where the data incident is "unlikely to result in a risk to the rights and freedoms of natural persons". This could be the case, for example, if the data concerned are inaccessible to unauthorised third parties due to appropriate safeguards, such as sufficient encryption. Although there is no requirement that a risk can be completely excluded, the requirements for the risk assessment are strict, meaning that a robust argumentation is required if a notification is not required due to a lack of risk.
Do the data subjects also need to be informed?
In addition to notifying the supervisory authority, it may also be necessary to notify the data subjects themselves. This is the case when the data incident is likely to pose a high risk to their rights and freedoms. This may be the case, for example, in the event of possible identity theft, financial loss, damage to reputation or other serious consequences.
What is the deadline for reporting a data breach?
The company or organisation responsible for processing the data must report the incident to the relevant data protection authority without delay and no later than 72 hours after becoming aware of the breach.
Non-binding initial consultation on data breaches
Why not arrange a no-obligation initial consultation with one of our specialist solicitors to discuss your situation, your advice needs and - if necessary - to act quickly!
What is the process for reporting a data breach?
To meet the requirements of the GDPR, data protection incidents should be reported in a structured and efficient manner:
1. Recognising and assessing the incident
As soon as a data protection incident is detected, the relevant departments in the company must be informed. This regularly includes contact persons from IT, information security, the data protection officer and the management. The responsible contacts assess the data protection incident, particularly with regard to the associated risks. Among other things, they check which data is affected, how serious the consequences are and whether there is a risk to the rights and freedoms of the data subjects. The assessment also includes the question of whether the incident must be reported to the supervisory authority and, if applicable, to the data subjects.
2. Notification to the supervisory authority within 72 hours
If there is an obligation to report, the report must be made immediately and at the latest within 72 hours of becoming aware of the incident. Many supervisory authorities provide forms for reporting data protection incidents on their websites. However, it is advisable to check these forms carefully as they may ask for more information than is covered by the statutory reporting obligation.
3. Informing the data subjects (if necessary)
If there is even a high risk for the data subjects, they must also be notified in accordance with Article 34 of the GDPR.
4. Documentation of the incident
Regardless of whether a notification is required, the incident must be documented internally. This documentation serves to prove compliance with the GDPR and to be available for subsequent investigations by the supervisory authority. This includes, among other things, the assessment of the incident, the decision on the reporting obligation and the measures taken.
5. Taking measures to limit the damage
Parallel to reporting, immediate action should be taken to contain the potential damage. This may include
- Closing security gaps
- Restoring lost data
- Implementing additional security measures
The results of these measures should also be documented.
6. Follow-up and optimization
After the incident has been completed, a follow-up should take place. This includes analyzing the incident to understand how it could have been prevented. Any resulting adjustments to the data protection measures or IT security precautions should be implemented in order to prevent future incidents and thus continuously improve the level of data protection.
What must the notification of a data protection incident contain?
The notification of a data protection incident to the competent supervisory authority must contain certain information to enable the authority to assess the incident and, if necessary, take appropriate measures. According to Article 33 of the GDPR, the following information must be included in the notification
Description of the data protection incident
The notification must include a description of the nature of the data breach. It should explain what happened, how the incident was discovered and what is affected to enable the authority to assess the risks to the rights and freedoms of data subjects resulting from the incident.
Type of data concerned
The categories of personal data concerned and their number must be specified where possible. This also includes information on whether the data is sensitive data (e.g. health data, financial data) or more general personal data such as name, address or contact details.
Data subjects
Information on the categories and number of data subjects is also required, where possible, in order to assess the extent of the incident.
Possible consequences of the incident
It must be explained what consequences the breach is likely to have or will have for the data subjects, according to the controller's assessment. This assessment may, for example, be based on possible risks such as identity theft, fraud, reputational damage or financial loss.
Measures taken
The notification must also explain what measures have been taken or are planned to remedy the incident. These may be technical and/or organisational steps taken to contain the incident and protect affected individuals.
Contact details of the DPO or contact person
The contact details of the DPO or other point of contact for further information should be provided. This person will act as a point of contact for the supervisory authority and will provide additional information as necessary.
Interim Notification
If an incident cannot be fully resolved within the 72-hour period, the notification can be completed in stages. However, it is important to make a preliminary report within 72 hours of becoming aware of the incident, even if not all the details are known.
Informing those affected
Where a notification to data subjects is required, it does not need to contain detailed information on the categories and numbers of data subjects and data affected, but only a description of the data breach in clear and simple language. It must also provide a contact point for further information and a description of the likely consequences of the breach and the remedial measures taken or planned.
Non-binding initial consultation on data breaches
Why not arrange a no-obligation initial consultation with one of our specialist solicitors to discuss your situation, your advice needs and - if necessary - to act quickly!
Examples of data breaches
Data protection incidents can occur in a variety of situations, such as
- Loss or theft of documents, media or devices
- Accidental misdirection of information to the wrong recipient
- Accidental misconfiguration of servers/folders to allow unauthorised access to content
- Disgruntled former employees with malicious intent
- Ransomware or other cyber-attacks
Who is responsible for reporting a privacy incident?
The responsibility for reporting a data protection incident lies with the controller, as defined by the GDPR. The controller is the person, company or organisation that decides on the purposes and means of processing personal data. In many cases, the controller will have appointed a Data Protection Officer (DPO). The DPO plays a key role in handling data protection incidents. He or she assists and advises the controller in complying with the legal requirements, including assessing the obligation to report the incident. The DPO often acts as a point of contact with the supervisory authority and data subjects, but legal responsibility remains with the controller.
Special case: Processor
Data protection incidents often occur not directly with the controller, but with its processor. However, even in these cases, the controller remains obliged to report the incident. The processor must report the data protection incident to the controller without delay so that the controller can assess it in a timely manner and, if necessary, report it to the competent supervisory authority or to the data subjects. The processor shall assist the controller in doing so.
Situations in which a service provider is affected by a data protection incident involving data that it processes on behalf of others (i.e., as a processor) as well as data that it processes under its own responsibility (i.e., as a controller) (e.g., data of its own employees) are regularly complicated. At the same time, it may be necessary to immediately notify the customer(s) (controller) and the competent supervisory authority and, if applicable, the data subjects (but only those for whom the service provider is also the controller). This regularly requires well-organised coordination and care in drafting notifications.
How does the authority respond to a notification of a data breach?
After the data protection incident has been reported, the authority will investigate the incident and, if necessary, instruct action or initiate its own supervisory action.
1. Confirmation of receipt by the supervisory authority
After an incident has been reported, the regulator will usually send an acknowledgement of receipt and check that the report contains all the necessary information. In some cases, the authority may ask for additional information.
2. Regulatory review
The authority will review the reported incident for its severity and potential impact. This will include an assessment of whether the measures taken are sufficient and whether the incident has been handled correctly. Depending on the potential risk, the authority may initiate a detailed investigation to ensure that the incident has been handled appropriately and that the necessary protective measures have been taken.
3. Possible instructions and measures from the authority
If the supervisory authority considers that additional measures are necessary, it may issue instructions to the company concerned. In particular, the supervisory authorities regularly recommend the provision of information to data subjects, irrespective of the existence of a high risk. Pursuant to Art. 34 para. 4 GDPR, the authority may also issue an order. In serious cases, the authority can also initiate proceedings for a fine or impose other sanctions, for example if the incident is due to inadequate data protection measures.
What are the penalties for a data breach?
The GDPR provides for significant fines in the event of data protection breaches. These can be imposed in two tiers, depending on the nature and severity of the breach:
- Up to €10 million or 2% of annual global turnover (whichever is higher) for less serious breaches. These include, for example, inadequate technical and organisational measures to ensure data security or inadequate or late notification of a data breach.
- Up to €20 million or 4% of our annual global turnover (whichever is greater) for more serious breaches. These include failure to respect the rights of data subjects or lack of an adequate legal basis for data processing.
In less serious cases or for first-time offenders, the supervisory authority may issue a warning or caution without immediately imposing a fine. However, it also has the right to prohibit or temporarily suspend certain processing of personal data. This can have a massive impact on a company's operations, for example by shutting down certain processes or systems until the necessary security measures have been put in place. In addition to regulatory fines, there is always the risk of compensation claims from data subjects.
Is it possible to defend oneself against regulatory action?
Legal action can be taken against supervisory measures. However, especially in the case of data protection incidents, it is advisable to involve legal experts at a very early stage in order to avoid supervisory action from the outset, for example by providing the necessary information in the required level of detail and initiating remedial action independently.
What measures can be taken to minimise the risk of a data breach?
Avoiding or preventing privacy incidents depends largely on the technical and organisational measures taken, and is therefore as varied as the possible privacy incidents themselves. In practice, the greatest source of risk is probably people, which is why a particular focus should be placed on training.
Particularly with the ever-increasing threat of cyber-attacks (especially ransomware), in addition to technical security measures, employees must be able to recognise phishing emails, for example, and above all know how to act quickly and correctly in the event of an incident. For ransomware and other cyber-attacks, a comprehensive readiness assessment is particularly useful, where the key measures for preventing, detecting and responding to cyber-attacks are reviewed and, if necessary, implemented.
How we support you in the event of a data breach
- Reviewing the obligation to report an incident and reporting the data protection incident (if necessary)
- Internal coordination and crisis communication with affected parties, regulators and, if necessary, the public
- Defence against regulatory action and claims for damages
- Prevention: implementation of incident prevention measures and internal processes, and readiness assessments
- Incident review and advice on continuous improvement of appropriate measures
- Comprehensive advice on your data security and GDPR compliance
In cooperation with our sister company ISiCO GmbH, we can advise you on both the legal and technical aspects of data protection. Together with our partners caralegal and lawpilots, we can also offer you the best solutions in the areas of data protection management and employee training.
Why Schürmann Rosenthal Dreyer is your partner for data protection incidents
Over the past 16 years, Schürmann Rosenthal Dreyer has successfully advised countless clients in the area of data protection and handled a large number of data protection incidents. Our firm not only has experienced lawyers, but also technology experts who work together to make your digital projects legally compliant and future-proof.
Our expertise has been recognised many times: We won the prestigious JUVE award for Law Firm of the Year in Data Protection and IT and are ranked as one of the top 2024 law firms by The Legal 500.
Put your trust in Schürmann Rosenthal Dreyer - the partner who will successfully represent you with a unique combination of legal excellence and technical understanding.