Expert Advice Community

Guest

Data breach notification

  Quote
Guest
Guest user Created:   Nov 19, 2017 Last commented:   Nov 19, 2017

Data breach notification

We are a virtual dataroom provides. Our customers uploads documents to a dataroom. These could be word, pdf, excel, pictures, etc. The trouble is that there might be highly sensitive personal information in there, but we do not know, since our customers are responsible for uploading. How do I handle this situation in terms of contracts, incident response procedures, etc.
0 0

Assign topic to the user

EU GDPR DATA PROTECTION OFFICER ONLINE COURSE

Become a certified Data Protection Officer according to GDPR.

EU GDPR DATA PROTECTION OFFICER ONLINE COURSE

Become a certified Data Protection Officer according to GDPR.

Expert
Dejan Kosutic Nov 19, 2017

Answer: Based on the information provided, there could two potential situations that should be considered:

1) if the customers are legal entities (companies) the company would have to notify the affected the legal entities about the personal data breach and not the Supervisory Authority. Usually the requirements for the breach notification (both timing and content of the notification) would be established by the customers and mentioned in a legally binding document (a diligent customer would require the provider to notify all data breaches and not only personal data breaches). The Data Breach Response and Notification Procedure from the EU GDPR Implementation toolkit would provide guidance on how to handle the personal data breach internally: https://advisera.com/eugdpracademy/documentation/data-breach-response-and-notification-procedure/

2) if the customers are natural persons (individuals) then the data breach could be handled also based on the Data Breach Response and Notification Procedure from the EU GDPR Implementation toolkit.

With regards to the assessment of the impact of the personal data breach, if the provider has access to the personal data that was subject to the data breach, the provider should identify the risk for the customers and determine the notification requirements.

However, if the Data Center cannot access the information it is advisable to have a clause in the Terms & Conditions or the contract stating roughly that the customer should not upload any personal data or sensitive information without implementing adequate security measures such as encryption and that the provider would not be responsible for any direct or indirect losses generated by the personal data breach.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Nov 19, 2017

Nov 19, 2017

Suggested Topics

Guest user Created:   Dec 23, 2020 EU GDPR
Replies: 3
0 0

Filling templates

Guest user Created:   May 25, 2018 EU GDPR
Replies: 1
0 0

Supervisory Authority