How to behave in the event of a personal data breach
The personal data protection is extremely important in today’s fast-paced digital age, and it is not rare for attempts to breach the security of personal data to occur, for which the term personal data breach is commonly used in practice. However, this term is often confused with the term data leak.
A personal data breach is a breach of security that results in the accidental or unlawful destruction, loss, alteration or unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
A data leak, on the other hand, is the inadvertent disclosure of sensitive information that may lead to its misuse or abuse. To simplify, a data leak is usually an accident, whereas a personal data breach can occur for a variety of reasons including intentional acts, negligence or mistakes. The General Data Protection Regulation (GDPR) provides a solid framework to prevent such situations and to protect individuals’ data privacy rights.
Under the GDPR, controllers and processors of personal data are obliged to put in place technical and organizational measures to effectively secure personal data. Controllers are primarily responsible for putting in place procedures to prevent incidents (technical and organizational measures to secure personal data), then for putting in place procedures to help detect and assess a potential incident, and finally procedures and measures to deal with the incident, minimize the negative consequences and report it to the appropriate places.
In the event of a personal data breach, the GDPR imposes specific obligations on the controller, which the controller is obliged to comply with under the threat of sanctions. The controller must report such an incident to the supervisory authority (Data protection authority) within 72 hours of becoming aware of the breach. If a personal data breach occurs on the part of the processor, the processor must notify the controller without delay. If the personal data breach poses a high risk to the rights and freedoms of the data subjects concerned, the controller shall also notify them. However, the GDPR provides for exceptions to this obligation, such as where the controller has taken subsequent measures to ensure that the high risk is no longer likely to occur, etc. Finally, the controller is obliged to document all breaches, regardless of their severity, and to record the facts relating to the breach, its effects and the corrective measures taken.
As comprehensive data protection becomes more prevalent in the digital environment, it is important to understand and comply with the GDPR, including the provisions relating to data breaches. By prioritizing data protection and implementing proactive measures, companies can effectively mitigate risks, protect individuals’ rights and maintain compliance.
As part of our services, we help clients with legal support immediately from their request to ensure that all deadlines are met. We also regularly assist with follow-up advice on data security. Feel free to reach out.
Similar articles
Audit plan of the Data Protection Office for 2024
The Data Protection Office (“DPO”) is the central administrative authority for the protection of personal data, which primarily supervises compliance…
Inspection in practice: what should you know?
It is not uncommon for companies to be subject to different types of inspections and controls, each with its own…
No-poaching agreements
We would like to draw your attention to no-poaching and wage-fixing agreements, which are a topic that the Czech Office for the…