Breach notification to the authority
The Incident
By Article 4 (12) GDPR, a personal data breach describes a breach of security that results in destruction, loss, or alteration, whether unintentional or unlawful or unauthorized disclosure, more specifically, unauthorized access to personal data that has been transmitted, stored, or otherwise processed. Based on this broad definition, the processing of personal data that occurs in everyday business life is regularly regarded as such a breach. For example, the final deletion of an email with customer data, the sending of an email to the wrong recipient, or the incorrect entry into systems involving personal data are recorded.
Getting started
As a first step, it is therefore important to document these processes in an incident register. In most cases, however, simple violations do not trigger a reporting obligation to the data protection authorities or the person concerned. The risks for the persons concerned set out in Article 22 are decisive for the reporting obligation. If the infringement is not likely to result in a risk to the rights and freedoms of natural persons, reporting is unnecessary. In other cases, a report must be made immediately, but at the latest within 72 hours.
The challenge for Swiss companies is to identify the reporting authority. As a rule, this is likely to be all data protection authorities in whose jurisdiction data subjects are located. Jurisdiction results from Article 55 GDPR and recital 122 which describes responsibility for processing activities that have an impact on data subjects within the territory of the supervisory authority.
In most cases, the report can be submitted in a standardized manner via the websites of the respective data protection authorities. It must include at least the following information (where available):
- a description of the nature of the personal data breach, including, as far as possible, the categories and approximate number of data subjects, the categories concerned and the approximate number of personal data sets concerned;
- the name and contact details of the data protection officer or other point of contact for further information;
- a description of the likely consequences of the personal data breach;
- a description of the measures taken or proposed by the controller to remedy the personal data breach and, where appropriate, measures to mitigate its potential adverse effects.
As soon as the reasons for the breach are known, the affected company must take corrective measures based on the risk-based approach of the GDPR. In practice, this means taking risk-appropriate measures due to the seriousness of the potential infringement of the rights and freedoms of data subjects and taking into account the state-of-the-art and implementation costs.