Assign topic to the user
Answer:
EU GDPR requires controllers to report personal data breaches “ without undue delay and, where feasible, not later than 72 hours after having become aware of it” to the Supervisory Authority if the breach is likely to result in a risk to the rights and freedoms of natural persons (Article 33 - Notification of a personal data breach to the supervisory authority https://advisera.com/eugdpracademy/gdpr/notification-of-a-personal-data-breach-to-the-supervisory-authority/
However if a breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay (Article 34 - Communication of a personal data breach to the data subject https://advisera.com/eugdpracademy/gdpr/communication-of-a-personal-data-breach-to-the-data-subject/
Controllers are not required to notify the data breach if the data breach is unlikely to result in a risk to the rights and freedoms of the data subjects.
So, is the controller that needs to assess the severity of the data breach and decide which action to take.
To find out more about how to asses the severity of personal data breaches you can consult our whitepaper “Assessing the severity of personal data breaches according to GDPR” https://info.advisera.com/eugdpracademy/free-download/assessing-the-severity-of-personal-data-breaches-according-to-gdpr
Comment as guest or Sign in
Apr 13, 2018