One of the most significant innovations introduced by the new EU Data Protection Regulation (GDPR) consists in the obligation, for public administrations and companies, to communicate the cases of Data Breach to the Privacy Guarantor, that is, all IT security breaches capable of involve the loss, destruction or undue dissemination of the personal data processed.
In order to simplify the transposition of the new legislation, the Privacy Guarantor has published a useful infographic on the institutional website, which summarizes the formalities envisaged in case of violation of personal data.
This requirement is part of a much broader reform of the GDPR legislation on the protection of personal data, through which the European Commission aims:
1. to harmonize the laws of the various Member States, guaranteeing a uniform and homogeneous discipline regarding the protection of Privacy;
2. to strengthen the protection of personal data within the European Union, introducing new transparency obligations for
3. to remove obstacles to the free movement of data within the European Union, while ensuring greater ones
protections, rights and powers of control to Citizens.
The General Data Protection Regulation (GDPR) will apply from 25 May 2018, after a transition period of two years, at the end of which the complete alignment between national legislation and provisions of the new Regulation must be guaranteed by the individual States. strong>
What is Data Breach
What exactly is meant by Data Breach?
According to the new European Regulation (art. 4, c. 12), “breach of personal data” means any breach of security that accidentally or unlawfully involves the destruction, loss, modification, disclosure not authorized or access to personal data transmitted, stored or otherwise processed.
The EU Regulation, therefore, extends the obligation to communicate to the Data Controllers and Data Processors Privacy Guarantor any violations of personal data as a result of computer attacks, illegal access, accidents or natural disasters, such as fires or floods. Before the reform, this requirement was limited to “publicly available electronic communications service providers”.
The objective of this communication is clearly to allow the Privacy Guarantor to take action as soon as possible , promptly assess the seriousness of the situation and establish any corrective measures to be imposed on the Data Controller to minimize the dangers for the privacy of the interested parties to whom the data refer.
In fact, the situation of serious injury that would arise in the event of loss, destruction, modification or undue disclosure of personal data is evident: if not adequately and promptly addressed, a case of Data Breach can cause physical, material or immaterial, social or even economic damage to the natural person concerned (think, for example, of identity theft, fraud, discrimination, loss of professional secrecy etc.).
Data Breach: the fulfilments foreseen by the Privacy Guarantor
The European GDPR Regulation specifies the recipients of the communication obligation, within how long, the methods and content of the notification and the penalties provided for in the event of non-compliance with the legislation.
The report must be made by the Data Controller in a clear and specific way , as soon as possible, and must report the nature of the violation, the circumstances relating to it, its probable consequences and the measures adopted ( or that they intend to adopt) to remedy it and mitigate possible negative effects.
The communication must also indicate the Data Protection Officer, with the related contact details.
The deadline within which to notify the Privacy Guarantor varies according to the subject:
– Telephone companies and Internet providers:
The notification to the Guarantor must be made, if possible, within 72 hours from the knowledge of the fact , unless it is unlikely that the violation of personal data presents a risk for the rights and freedoms of people physical.
In particular, within 24 hours from the discovery of the event, these companies must provide the Guarantor with the minimum information necessary to allow a first assessment of the extent of the violation; while, within three days of the event, they must complete the documentation with all the information required by law.
In the event that the notification to the supervisory authority is not made within the expected 72 hours, the owner can still send the aforementioned notification, but is also required to attach a document in which he explains the reasons for the delay.
– Public administrations and public and private health structures:
These subjects must report, within 48 hours of discovery , all data breaches or cyber incidents that can have a significant impact on the personal data contained in their databases (or processed through the health dossier).
The deadline is reduced to 24 hours, in the event that data breaches risk having a significant impact on the biometric systems installed or on the personal data stored.
In more serious cases , when the violation of personal data is likely to present a high risk for the rights and freedoms of natural persons, the Data Controller is obliged to communicate the violation also to the person to whom the data refer (so-called Interested), without undue delay.
Although the communication to the users is not due if it is demonstrated to have used security measures as well as encryption and anonymization systems that make the data unintelligible, at the discretion of the Guarantor, the communication to the interested parties can still be imposed.
The penalties provided for in the case of Data Breach
In the event that the Public Administrations or companies do not comply with the obligations under the Data Breach regulation, the GDPR Privacy Regulation provides for fines of up to 10,000,000 euros or for companies up to 4% of the annual worldwide turnover of the previous year, if higher.