In accordance with Article 4(12) GDPR, a personal data breach refers to a security breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data that has been transmitted, stored, or otherwise processed.

Based on this broad definition, regular processing of personal data that occurs in everyday business operations can also be considered a breach. For example, the permanent deletion of an email containing customer data, sending an email to the wrong recipient, or incorrect data entry into systems containing personal data are all classified as personal data breaches.

As a first step, it is therefore important to document these processes in an incident register. In most cases, however, simple violations do not trigger a reporting obligation to the data protection authorities or the person concerned. The risks for the persons concerned set out in Article 22 GDPR are decisive for the reporting obligation. If the infringement is not likely to result in a risk to the rights and freedoms of natural persons, reporting is unnecessary. In other cases, a report must be made immediately, but at the latest within 72 hours.

The challenge for Swiss companies is to identify the reporting authority. As a rule, this is likely to be all data protection authorities in whose jurisdiction data subjects are located. Jurisdiction results from Article 55 GDPR and Recital 122, which describe responsibility for processing activities that have an impact on data subjects within the territory of the supervisory authority.

In most cases, the report can be submitted in a standardized manner via the websites of the respective data protection authorities. It must include at least the following information (where available):

• A description of the nature of the personal data breach, as far as possible, including the categories and approximate number of data subjects and the approximate number of personal data sets concerned.
• The name and contact details of the Data Protection Officer (DPO) or other point of contact for further information.
• A description of the likely consequences of the personal data breach.
• A description of the measures taken or proposed by the controller to remedy the personal data breach and, where appropriate, measures to mitigate its potential adverse effects.

As soon as the reasons for the breach are known, the affected company must take corrective measures based on the risk-based approach of the GDPR. In practice, this means taking risk-appropriate measures based on the seriousness of the potential infringement of the rights and freedoms of data subjects while considering the state of the art and implementation costs.