European Commission Regulation 611/2013 on the measures applicable to the notification of personal data breaches under the E-Privacy Directive (2002/58/EC) (Regulation), effective as of 25 August 2013, elaborates on the existing requirements (contained in the E-Privacy Directive, as amended) on public electronic communications service providers to notify the relevant national data protection authority (NDPA) and, in some circumstances, the relevant subscribers or individuals, when personal data is lost or stolen. The Regulation is directly applicable in member states and requires no further transposition. A key stipulation is that service providers notify the NDPA within 24 hours of detecting the breach and include the information set out in Annex 1. Where some of that information is not available within that time frame, service providers should provide an initial set of information within 24 hours and provide a second notification containing the rest of the required information within three days. The subscribers or individuals themselves should be notified of the breach without undue delay if it is likely to adversely affect their personal data or privacy, which is to be determined by taking account of the nature and content of data concerned, the likely consequences of the breach for the subscriber or individual and the circumstances of the breach. Individuals or subscribers need not be notified if the service provider demonstrates to the relevant NDPA that it has implemented appropriate technological protection measures that render the data affected by the breach unintelligible. Unintelligible data for these purposes is data secured by one of the two methods provided for by the Regulation.
Click here for a copy of the Regulation.