Security breach notification

It is an incident that compromises the security of personal data, whether intentional or unintentional. If the incident does not affect personal data, it is not a data security breach.

There is no defined list, but some examples are:

• Sending personal data to the wrong recipient.
• Sending email without blind copy.
• Theft/loss of mobile devices (laptops, memory sticks, etc.).
• Data encryption (ransomware).
• Theft of e-mail credentials.
• System failure causing data unavailability.
• Public exposure of data due to system configuration error.
• Unauthorised access to a patient's medical history.
• Theft of paper documentation.
• Public exposure of data due to inadequate destruction of paper documentation.

When the violation may lead to harm (physical, material or immaterial damage) for the owners of the affected data. For example: loss of control over data, restriction of data subjects' rights, discrimination, identity theft, financial losses, damage to reputation, unauthorised reversal of pseudonymisation or loss of confidentiality of data subject to professional secrecy.

The notification allows the Authority to indicate to the controller whether it has handled the breach appropriately or, if not, to require the necessary actions to do so.

Failure to notify implies a breach of an obligation established by the GDPR. Therefore, it may lead to an investigation and, if appropriate, a sanction, in addition to damage to the reputation of the data controller.

Nothing happens. The notification is processed and, once it is concluded that there has been no violation that requires notification, the file is closed. In fact, when in doubt, it is preferable to notify.

The regulation obliges the data controller. If the breach is suffered by the processor, they must inform the controller immediately so that the controller can fulfil their obligations; and this includes, where applicable, notifying the breach to the APDCAT.

A processor may also notify a breach on behalf of the controller, and even communicate it to the affected individuals, if this is part of the contractual arrangements. However, the legal responsibility for notifying it and communicating it to the affected individuals always lies with the controller.

Public communication can be made, for example on the entity's website or in the media. This communication must also contain all the mandatory information.

The regulation obliges the data controller. If the breach is suffered by the processor, they must inform the controller immediately so that the controller can fulfil their obligations; and this includes, where applicable, notifying the breach to the APDCAT.

A processor may also notify a breach on behalf of the controller, and even communicate it to the affected individuals, if this is part of the contractual arrangements. However, the legal responsibility for notifying it and communicating it to the affected individuals always lies with the controller.

Public communication can be made, for example on the entity's website or in the media. This communication must also contain all the mandatory information.

So that those affected can take steps to protect themselves from the harmful effects of the violation.

An initial notification is made within 72 hours. Once all enquiries have been made and further information is available, the supplementary notification must be submitted without delay.