Skip to content
Skip to page content

5. Report personal data breaches

The icon features a closed padlock with a symbol depicting a person in the middle. The shackle of the padlock is broken. The icon is surrounded by a light green frame. This icon can be used to express that the situation involves a personal data breach.

Given enough time, practically everyone who processes personal data experiences a personal data breach. Therefore, it is important for hobby organisers to define a process for handling personal data breaches. It must ensure that everyone taking part in the processing is able to identify personal data breaches and take the agreed-upon action. In certain cases, the Office of the Data Protection Ombudsman and the victims of the personal data breach must be informed of the breach.

What is a personal data breach?

A personal data breach means an incident that results in the destruction, loss, alteration or unauthorised disclosure of personal data, or that grants a party not authorised to process the data access to personal data. Examples of personal data breaches include

  • the loss of a data transfer medium, such as a USB memory stick;
  • the theft of a computer;
  • hacking or a cyber attack;
  • malware infection;
  • mailing an invoice to the wrong person; or
  • unauthorised access to personal data.

A personal data breach can result in, for example, identity theft or fraud, reputation damage or the disclosure of confidential personal data.

The most important thing is to initiate damage control measures as soon as possible after the personal data breach has been detected. The hobby organiser should draw up a process for handling personal data breaches and designate a person (such as a Data Protection Officer) responsible for investigating and documenting breaches.

When does a personal data breach have to be reported to the supervisory authority?

If the personal data breach causes a risk to the data subjects, it must be reported to the Office of the Data Protection Ombudsman within 72 hours of discovery. The report can be made using the notification form on the Office of the Data Protection Ombudsman’s website.

When do the victims of a personal data breach need to be informed of the breach?

If a personal data breach causes a high risk to the data subjects, the people affected by the breach must also be informed of it so that they can take the necessary precautions and prepare for the risks caused by the personal data breach.

In certain exceptional circumstances, the controller is not required to notify the data subjects of a personal data breach:

  • the controller has implemented appropriate technical and organisational protection measures and they have been applied to the personal data affected by the personal data breach (in particular those that render the personal data unintelligible to outsiders, such as encryption);
  • the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise; or
  • it would involve disproportionate effort, for example because the controller does not know who the data subjects are.

If the data subjects cannot be contacted personally, a public communication or similar measure whereby the data subjects are informed in an equally effective manner must be used.

If the controller has not communicated the personal data breach to the data subject, the supervisory authority may require it to do so.

The controller is obliged to document all personal data breaches, their effects, and the corrective measures taken. This means that, if a personal data breach occurs, you should keep all emails and other correspondence related to the matter, save system log data for the duration of the incident, and write down all measures taken and all individuals who have participated in managing the incident. The controller is responsible for evaluating the consequences of the personal data breach and whether the supervisory authority and data subjects should be notified of it.

Read more: Information on personal data breaches on the Office of the Data Protection Ombudsman’s website.

Example

The tennis coaches have their monthly meeting in the tennis hall’s cafeteria. There was no one else in the cafeteria during the meeting, but one of the coaches forgot a paper containing players’ health information on the table after the meeting. A group of players sitting in the cafeteria after their game found the paper and gave it to a cafeteria worker. The cafeteria worker told the tennis club’s president about what had happened.

The tennis club assessed the matter and decided that the incident could cause a high risk to the data subjects, that is the players, because the paper left on the table contained their health information and the tennis club did not know how many people could have seen the paper. The tennis club reported the personal data breach to the Office of the Data Protection Ombudsman and the people whose information was on the paper

What information do you need to give to the supervisory authority about a personal data breach?

The data breach notification filed with the supervisory authority must include at least the following information:

  1. a description of the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
  2. the name and contact details of the data protection officer or other contact point where more information can be obtained;
  3. a description of the likely consequences of the personal data breach; and
  4. a description of the measures taken by the controller to address the incident, including, where appropriate, measures to mitigate its possible adverse effects.

If it is not possible to provide the above-mentioned information at the same time, the information may be provided in phases without undue further delay.

What information do you need to give to the data subjects about a personal data breach?

Individuals affected by the breach must be provided the following information about the incident in clear and plain language:

  1. what has happened;
  2. what the likely consequences of the personal data breach are to the person;
  3. what measures the controller has taken to address the personal data breach and what measures it has taken to mitigate the possible adverse effects of the breach; and
  4. the contact details of the data protection officer or other contact point where more information can be obtained.

Remember

Detect personal data breaches, assess the risks they cause to the data subjects, and notify the supervisory authority and people affected if necessary. Document the events and the steps of managing the breach.

4. Assess the risks and impact of processing
6. Only transfer personal data out of the EU if the conditions are met