Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Data security and breach notification

Security obligations

Are there specific security obligations that must be complied with?

Data controllers are accountable for the security measures that they have implemented within their own organisations. The EU General Data Protection Regulation (GDPR) (2016/679) requires the implementation of appropriate technical and organisational security measures by taking into account:

  • the state of the art;
  • the implementation costs;
  • the nature, scope, context and purpose of processing; and
  • the likelihood and severity of the risk to the rights and freedoms of natural persons.

As specified in Article 32 of the GDPR, by way of example and where appropriate to the relevant risk, these measures may consist of:

  • the pseudonymisation and encryption of personal data;
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • the ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident; and
  • a process for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures for ensuring the security of the processing.

In this regard, the Data Protection Authority stated that it will provide best practices on which data controllers may rely to perform their own assessment of security measures.

Further, in early 2018 the EU Network and Information Security Agency issued:

  • a handbook on the security of personal data processing, which provides guidance on the minimum technical standards to be provided by companies for personal data processing; and
  • technical guidelines for the implementation of minimum security measures for digital service providers, which aims to provide a common EU level approach regarding security measures to be implemented by digital service providers. 

Breach notification

Are data owners/processors required to notify individuals in the event of a breach?

The GDPR has introduced an obligation that all controllers and processors must notify data breaches regardless of their qualification as a provider of a publicly available electronic communications service.

Under Article 34 of the GDPR, data controllers must communicate personal data breaches to the data subjects concerned without undue delay only when such breach is likely to result in a high risk to the rights and freedoms of natural persons. In this case, information provided to the data subjects must describe in clear language the nature of the personal data breach. The Article 29 Working Party provided guidance on how to assess the level of risk involved in a data breach in its guidelines on personal data breach notification under the GDPR. The document also offers guidance on the other obligations involved in the case of a data breach.

In its guidelines on the application of the GDPR, the Data Protection Authority has stated that the information to be provided to the authority in the case of a data breach is substantially similar to that required by Article 32bis(7) of the Data Protection Code for telecoms companies before the GDPR’s applicability.

Are data owners/processors required to notify the regulator in the event of a breach?

In case of a data breach, the data controller must notify the Data Protection Authority without undue delay and, where feasible, no later than 72 hours after having become aware of the breach.  Similarly, the data processor must notify the data controller without undue delay after becoming aware of a breach. Data controllers must provide to the Data Protection Authority with the information set out in Article 33(3) of the GDPR, including:

  • the nature of the personal data breach;
  • the categories and approximate number of data subjects concerned;
  • the likely consequences of the data breach; and
  • the measures taken or proposed to be taken by the controller to address and mitigate the effects of the breach.

The Data Protection Authority need not be informed of a breach where it is unlikely to pose a risk to the rights and freedoms of data subjects. The Article 29 Working Party has provided guidance on how to properly assess the level of risk involved in a data breach in its guidelines on personal data breach notification under the GDPR. The document also offers guidance on the other obligations involved in the case of a data breach.

The Data Protection Authority stated in its guidelines on the application of the GDPR that the information to be provided to the authority in case of a data breach is substantially similar to that required by Article 32bis(7) of the Data Protection Code for telecoms companies before the GDPR’s applicability.

Click here to view the full article.