In document (10.3 Data Breach Notification Form to the Supervisory Authority) there is a reference to the supervisory authority address, could you please explain what we would enter here?
Would it be the DPA (Data Protection Authority) agency within the European Union country that is responsible for GDPR assistance and enforcement? Or the Information Commissioner's Office (ICO) in the UK's supervisory authority for the GDPR that is responsible for promoting and enforcing the legislation?
We also have a question regarding document (10.1 section 11, Data breach response and notification procedure) it calls for us to provide “Call lists & substitution “ and “contact details”, would this be the persons withing our organization that are responsible for acting upon a data breach, “Indecent response team”? Do you have a template for these?
Assign topic to the user
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
"In document (10.3 Data Breach Notification Form to the Supervisory Authority) there is a reference to the supervisory authority address, could you please explain what we would enter here? Would it be the DPA (Data Protection Authority) agency within the European Union country that is responsible for GDPR assistance and enforcement? Or the Information Commissioner's Office (ICO) in the UK's supervisory authority for the GDPR that is responsible for promoting and enforcing the legislation?
You should enter the EU Supervisory Authority of the Member State where the company is located or where the EU representative is located. The ICO is the Supervisory Authority in the UK until the end of the transition period.
If you are based in the UK, then from 1st January 2021 the transition period has ended, you will need to appoint an EU representative and refer to the Data Protection Authority (DPA) of such country.
The ICO will be responsible for enforcing the UK Data Protection law.
We also have a question regarding document (10.1 section 11, Data breach response and notification procedure) it calls for us to provide “Call lists & substitution “ and “contact details”, would this be the persons withing our organization that are responsible for acting upon a data breach, “Indecent response team”? Do you have a template for these?"
Section 11 of Data breach response and notification procedure helps you to manage records in case of a data breach, while the records are mentioned earlier in this procedure.
For example, the call lists and contact details are mentioned in Section 4.
In the case of a data breach, Article 34 GDPR requires to inform data subjects when a data breach has a high risk on rights and freedom of individuals (employees, clients, suppliers, etc.). The controller must inform the data subjects without undue delay with plain language and specifying “the measures taken or proposed to be taken to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.”
Therefore, you should indicate the name of the records (i.e. Clients, Prospects, Suppliers, Employees), the location in the intranet of your contact list. It can be an address book, an email list (i.e. Google Contacts), the CMR, it is difficult to provide a template because it varies from organization to organization.
The person responsible for storage is the Data Breach Response Leader (the job title of the person in charge of addressing a data breach like the CTO) and as “Controls for records protection “Only authorized persons can edit the file” or if the records are paper-based “Only authorized persons can access to the address book (in case of a small non-digital company like a local shop).
Here you can find more information on how to address a data breach:
- Small business guide to cyber security: 6 steps against the data breach https://advisera.com/27001academy/blog/2015/02/09/small-business-guide-to-cyber-security-6-steps-against-the-data-breach/
- Free webinar – A How-to Guide for GDPR Data Breach Notifications https://advisera.com/eugdpracademy/webinar/a-how-to-guide-for-gdpr-data-breach-notifications-free-webinar-on-demand/
- Free whitepaper - Assessing the severity of personal data breaches according to GDPR https://info.advisera.com/eugdpracademy/free-download/assessing-the-severity-of-personal-data-breaches-according-to-gdpr
To learn how to manage a data breach you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//
Thank you for your detailed responses! Our company is in the US but we have a representative in Austria (Prighter). I assume I use this address for the supervisory authority address? Can you confirm if this is correct?
"Thank you for your detailed responses! Our company is in the US but we have a representative in Austria (Prighter). I assume I use this address for the supervisory authority address? Can you confirm if this is correct?"
Yes, you should refer to the Austrian Supervisory Authority.
Comment as guest or Sign in
Dec 31, 2020