Notifying personal data security breaches

A security breach is considered to be recorded when there is certainty that it has occurred and there is sufficient knowledge of its nature and scope. The mere suspicion that there has been a failure or the finding that some type of incident has occurred without the slightest knowledge of the circumstances should not give rise to the notification. In most cases, under these conditions it is not possible to determine to what extent there may be a risk to the rights and freedoms of the data subjects. 

However, in cases of violations that, due to their characteristics, can have a great impact, it is recommended to contact the APDCAT as soon as there is evidence that an irregular situation has occurred with respect to the security of the data, regardless of whether these initial contacts are later complemented by a formal notification within the legally provided period. 

There may be cases where the notification of any of the required aspects cannot be done within 72 hours, for example, due to the complexity of fully determining the scope. In these cases, the notification of these aspects can be made later, accompanied by an explanation of the reasons that have caused the delay. 

The notification must include a minimum content that the GDPR itself establishes and that includes elements such as the nature of the violation, the categories of data and the data subjects, the measures taken by the data controller to handle the violation and, if applicable, the measures applied to alleviate the possible negative effects on the persons concerned. The information can also be provided in stages, when it cannot be done at the same time of the notification. 

Regardless of the notification to the control authorities, data controllers must also document all security breaches. Thus, they must carry out an internal record of the security incidents they have.

In addition to notifying the security breach to the APDCAT when it is likely that the breach will entail a high risk (significant or serious damage) to the rights of the data subject, the data controller must also communicate it without undue delay to the data subjects, with clear and simple language.

High risk exists when the security breach is likely to cause significant harm to the data subjects. This can happen, for example, if confidential information is revealed, such as passwords, participation in certain activities; if confidential data is disseminated on a mass scale or if economic damages can occur for the data subjects.

The purpose of this communication is to allow the data subjects to take measures to protect themselves from the consequences of the security breach. The aim is so the data subject can react as soon as possible. Therefore, it will be necessary to include the recommendations on the measures that the data subjects can take to deal with the consequences of the violation.

It will not be necessary to carry out this communication to the data subjects if:

• The data controller has adopted appropriate protection measures, such as making the data unintelligible to unauthorised persons. 
• The data controller has applied subsequent measures that ensure that the high risk is no longer likely to materialise. 
• It involves a disproportionate effort. In this case, they can opt for a public statement or an equivalent measure.

If the data controller uses a data processor and the latter suffers a security breach, this party must inform the data controller without undue delay, as soon as becoming aware of it, so that the data controller can comply with its notification obligations. The contract that regulates the processing must stipulate that the data processor must help the data controller to ensure compliance with the notification obligations.