Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

​Data security and breach notification

Security obligations

Are there specific security obligations that must be complied with?

Article 32 of the EU General Data Protection Regulation (GDPR) provides for general data security obligations – especially to secure personal data against:

  • unauthorised access;
  • accidental or unlawful destruction, manipulation, disclosure and transfer; and
  • other unlawful processing.

Data controllers must also comply with data confidentiality rules and ensure that personnel who process personal data are bound by confidentiality obligations (Section 6 of the Austrian Data Protection Act).

The GDPR does not expressly stipulate which data security measures must be taken but provides that any such measures should reflect the current state of technological capabilities and be economically tenable. Thus, good industry practices are crucial in determining the necessary data security measures to take in the event of a breach of the act or internal control systems. Such practices are particularly relevant in the context of an internal control systems breach, where the courts will examine the potential liability of persons responsible for the breach (eg, managing directors). Liability for insufficient data security seldom arises when good industry practices are followed.

Appropriate technical and organisational measures that must be implemented may include:

  • pseudonymisation and encryption of personal data;
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • the ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident; and
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Breach notification

Are data owners/processors required to notify individuals in the event of a breach?

Yes. Pursuant to Article 33 of the GDPR, the controller must notify the Data Protection Authority of any personal data breach within 72 hours, unless the breach is unlikely to result in a risk to data subjects. Such data breach notification must contain a sufficient and detailed description of:

  • the nature of the personal data breach, including the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
  • the name and contact details of the data protection officer or other contact point where more information can be obtained;
  • the likely consequences of the data breach; and
  • the measures taken or proposed to be taken by the controller to address the data breach, including measures to mitigate its possible adverse effects.

In addition to notifying the Data Protection Authority, the controller must communicate the data breach to the data subjects without undue delay when the data breach is likely to result in a greater risk for data subjects (Article 34 of the GDPR). This communication must:

  • describe in clear and plain language the nature of the personal data breach; and
  • at least contain:
    • the name and contact details of the data protection officer or a different contact point;
    • the likely consequences of the breach; and
    • the measures taken or proposed to address the breach and mitigate its possible adverse effects.

Are data owners/processors required to notify the regulator in the event of a breach?

The GDPR establishes an obligation to report data breaches to the Data Protection Authority. Pursuant to Article 33 of the GDPR, the controller must notify the Data Protection Authority of any personal data breach within 72 hours, unless the breach is unlikely to result in a risk for the data subjects. The notification must include a detailed description of the data breach, as well as potential consequences and adapted countermeasures.

If the data breach is likely to result in an elevated risk for data subjects, the controller must also communicate the data breach to the data subjects concerned without undue delay (Article 34 of the GDPR).

Click here to view the full article.