The European Union's General Data Protection Regulation ("GDPR") is arguably the most comprehensive - and complex - data privacy regulation in the world. Although the GDPR went into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.

To help address that confusion, Bryan Cave Leighton Paisner is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.

Question: Can a company combine a breach notification message with other communications to impacted data subjects?

Answer: Generally no. The Article 29 Working Party took the position that “dedicated messages should be used when communicating a breach to data subjects.” Specifically, the Working Party advised that data breach notifications generally should not be “sent with other information, such as regular updates, newsletters, or standard messages.”