Proposed EC regulations require breach notification within 24 hours

The leaked draft of European Commission regulations contains provisions that would require breach notification to the supervisory authority (Article 28) AND to the individuals affected (Article 29) within 24 hours after establishment of a breach.  Wow.

Article 28

Notification of a personal data breach to the supervisory authority

1. In the case of a personal data breach, the controller shall without undue delay and, as a rule, not later than 24 hours after the personal data breach has been established, notify the personal data breach to the supervisory authority .

2. Pursuant to point (f) of Article 23(2), the processor shall alert and inform the controller immediately after the establishment of a personal data breach.

3. The notification referred to in paragraph 1 must at least:

(a) describe the nature of the personal data breach including the categories and number of data subjects concerned and the categories and number of data concerned;

(b) communicate the identity and contact details of the data protection officer or other contact point where more information can be obtained;

(c) recommend measures to mitigate the possible adverse effects of the personal data breach;

(d) describe the consequences of the personal data breach;

(e) describe the measures proposed or taken by the controller to address the personal data breach.

4. The controller shall document any personal data breaches, comprising the facts surrounding the breach, its effects and the remedial action taken. This documentation must enable the supervisory authority to verify compliance with this Article. The documentation shall only include the information necessary for that purpose.

5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for establishing the data breach referred to in paragraphs 1 and 2 and for the particular circumstances in which a controller and a processor is required to notify the personal data breach.

6. The Commission may lay down the standard format of such notification to the supervisory authority, the procedures applicable to the notification requirement and the form and the modalities for the documentation referred to in paragraph 4, including the time limits for erasure of the information contained therein. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).

Article 29

Communication of a personal data breach to the data subject

1. When the personal data breach is likely to adversely affect the protection of the personal data or privacy of the data subject, the controller shall, in addition to the notification referred to in Article 28, communicate the personal data breach to the data subject without undue delay and, as a rule, not later than 24 hours after the personal data breach has been established by the controller.

2. The communication to the data subject referred to in paragraph 1 shall contain at least the information and the recommendations provided for in points (a), (b) and (c) of Article 28(3).

3. The communication of a personal data breach to the data subject shall not be required if the controller has demonstrated to the satisfaction of the supervisory authority that it has implemented appropriate protection measures, and that those measures were applied to the data concerned by the personal data breach. Such protection measures shall render the data unintelligible to any person who is not authorised to access it.

4. Without prejudice to the controller’s obligation to communicate the personal data breach to the data subject, if the controller has not already communicated the personal data breach to the data subject of the personal data breach, the supervisory authority, having considered the likely adverse effects of the breach, may require it to do so.

5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements as to the circumstances in which a personal data breach is likely to adversely affect the personal data referred to in paragraph 1.

6. The Commission may lay down the format of the communication to the data subject referred to in paragraph 1 and the procedures applicable to that communication. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).

About the author: Dissent

Comments are closed.