Personal data breaches

The consequences of, for example, sensitive data leaking to the internet can be very different to those of not being able to access your personal data due to an information system malfunction.

The more sensitive the data affected by the personal data breach, the greater the risk to the persons concerned. A combination of different data types on the data subject is frequently more sensitive than a single data item. When a personal data breach affects a large group, so will the consequences.

It is important to assess how easily the data subjects can be identified from the materials affected by the personal data breach, either directly or indirectly in combination with other data. Identifiability can be influenced by how well the data has been encrypted or pseudonymised, among other things.

Personal data breaches can have more serious consequences when they involve children or others in a vulnerable position.

The sector and role of the controller can have an impact on the severity of the risk caused by the personal data breach. For example, if the personal data breach occurs in the patient record system of a hospital, the threat to the data subjects will probably be greater than if it had taken place in a newspaper's subscriber register.

The consequences of a personal data breach can be considered particularly severe if it can result in identity theft, fraud, anxiety, humiliation or loss of reputation.

The party that gained access to the information can also affect the consequences that can be expected. The likelihood of misuse can be greater if it is known that the data fell into the hands of a criminal, for example.

When assessing the risk involved in a personal data breach, take the severity and probability of the possible consequences into account. The risk related to a personal data breach is the greater, the more severe and probable the consequences for individuals.

In the notification, the controller must provide a detailed assessment of the severity of the personal data breach's possible impact on the data subject. The purpose is to specifically assess the severity of the impact to the data subject instead of the consequences to the controller.

If the controller states on the Office of the Data Protection Ombudsman's notification form that the severity of the possible impact to the data subject is Significant or Maximal, it means that, as a rule, the controller must notify the data subject of the incident without undue delay and enter Yes or No, but they will be informed under "Communication to data subjects" on the form.

It is the controller's duty to assess the severity of the potential impact of the data breach. If the controller has assessed the severity of the impact to the data subject incorrectly, the supervisory authority will ultimately decide, based on the information provided by the controller, whether the threshold for notifying the data subjects is crossed.

The Office of the Data Protection Ombudsman can order the controller to notify the data subjects if the notification threshold is crossed and the controller has not notified the affected data subjects of the personal data breach on its own initiative.

The Office of the Data Protection Ombudsman's data breach notification form contains three notification types: Complete notification, Preliminary notification and Complementary notification.

A complete notification is filed if the controller is aware of the details of the data breach. Some details may still be unclear when filing the notification, but it is clear to the controller based on the facts uncovered that the incident involves a personal data breach that meets the criteria for notifying the supervisory authority.

The preliminary notification is intended to give controllers the opportunity to report observations of potential personal data breaches when the details are still scarce or unclear. If a controller files a preliminary notification, it must complement the notification on its own initiative when it obtains more information about the incident.

Filing a complementary notification on your own initiative simplifies and expedites the processing of the matter by the supervisory authority and decreases the need for the supervisory authority to contact the controller.

If the controller states in the personal data breach notification that it is still investigating some details of the incident, it must remember to file a complementary notification on its own initiative once it has obtained the required further information.

The personal data breach notification should be filed without undue delay even if the details of the event are not fully clear yet. The supervisory authority must be notified of the data breach within the time limit.

If a controller detects a personal data breach that the supervisory authority must be notified of, the controller must carry out this notification without undue delay and, where feasible, within 72 hours. If the notification is not made within 72 hours, the controller must provide a justified explanation for the delay to the Office of the Data Protection Ombudsman.