Notify a Personal Data Breach
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
A controller shall notify a personal data breach to this Office within 72 hours from becoming aware of such breach.
The notification shall not be required in those specific cases where the controller determines that the breach is unlikely to result in a risk to the rights and freedoms of data subjects.
To facilitate the process, controllers should follow this link, complete and submit the online notification form.
The reference number indicated in the acknowledgment email that will be received following the submission of the online form, should be cited for the purpose of any further communication with this Office on a notified data breach.
IMPORTANT: controllers must carry out a risk assessment to decide whether the security incident poses any risks to the data subject and, as a consequence, whether the breach has to be notified to the Supervisory Authority or otherwise. For instance, the event of one email sent to one wrong recipient is unlikely to result in a risk to the rights and freedoms of individuals and this Office therefore should NOT BE NOTIFIED.
For more information on how to conduct such risk assessment, controllers may refer to the EDPB Guidelines 01/2021 on Guidelines 01_2021 – Examples regarding Data Breach Notification.