Author: Alexander Dix

1. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
2. The communication to the data subject referred to in paragraph 1 of this Article shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points (b), (c) and (d) of Article 33(3).
3. The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:

(a) the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;

(b) the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise;

(c) it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

4. If the controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in paragraph 3 are met.

 

A. Preliminary remarks

The controller’s obligations to provide for transparency cannot be restricted to notifications to the supervisory authority according to Art. 33 but under certain circumstances have to include the data subject as well. The communication of breaches to the data subject is however not prescribed in all those cases where the authority has to be notified. Articles 33 and 34 provide for a two-tier concept of transparency in the case of data breaches. Not all data breaches which have to be notified to the supervisory authority have to be communicated to the data subject, but all breaches thus communicated have to be notified under Art. 33. The purpose of communicating breaches to the data subject is primarily to enable him to take measures for self-protection and mitigating the damage and to inform data subjects about measures taken by the controller.

B. Legislative history

The Commission had proposed to communicate breaches to the data subject whenever they are likely to adversely affect the protection of personal data or privacy of the data subject. While the Parliament supported this in general the Council favoured a high risk for the rights and freedoms of natural persons as precondition for an obligation to communicate. The Council also proposed to include practical examples in the Regulation (→ Art. 33 mn. 2) These proposals were accepted in the trilogue although the examples were only included in Recital 85. Commission and Parliament both proposed that the controller should not be required to communicate breaches if he demonstrates to the satisfaction of the supervisory authority that he has implemented appropriate technological protection measures and has applied them to the data concerned by the breach. As proposed by the Council the explicit burden on the controller to demonstrate such measures was deleted and the catalogue of exceptions was extended to include cases where the controller has taken subsequent measures to ensure that the high risk to the protection of data is no longer likely to materialise and where the communication would involve disproportionate effort. In the latter case the individual communication was to be replaced by a public communication or similar equally effective measure. The Directive (EU) 680/2016 on data protection for the police and justice sector contains an equivalent obligation to communicate (Art. 31) with more far reaching exceptions.

C. Obligation to communicate to the data subject (Art. 34 para. 1)

I. High risk

The controller’s duty to communicate personal data breaches to the data subject supplements the information obligations under Chapter III. The provision differs from the obligation to notify the authority under Art. 33 (→ Art. 33 mn. 6 et seq.) in that the risk to the rights and freedoms of natural persons caused by the personal data breach is a substantial precondition for the obligation to communicate rather than the absence of such risks being an exception. A high risk to the protection of data is required here. Under Art. 34 para. 1 the controller is obliged to investigate whether the data breach is likely to cause a high risk to the rights and freedoms of natural persons. This should however not lead to the conclusion that the duty to inform the data subject – as opposed to the obligation to notify the supervisory authority under Art. 33 – is the exception rather than the rule and that when in doubt the controller should not inform the data subject. For once the requirements of the high risk threshold should not be overstretched. Furthermore the controller in any case has to investigate which consequences the breach is likely to have for the data subject. He should not see notification of the data subject as an exception which would only be applicable once he receives information on a high risk from third parties. If the controller wants to safely avoid non-compliance and sanctions he should – when in doubt – inform the data subject just as he should notify the supervisory authority.

Recital 85 explains – as for Art. 33 – in a non-exhaustive list of examples which kind of risks are to be addressed (→ Art. 33 mn. 9). Just as with the duty to notify breaches to the supervisory authority (→ Art. 33 mn. 11) the risk requirement has to be interpreted less strict if grave effects on the rights and freedoms of data subjects are at stake. The Article 29 Working Party and the European Data Protection Board have given practical guidance on how to establish risks of data breaches and has illustrated this with numerous examples which can be relied upon for interpreting Art. 34 para… Data breaches which concern special categories of personal data under Art. 9 para. 1 (e.g. health data) generally lead to a high risk within the meaning of Art. 34 para. 1. The same applies to bank and credit card data. Furthermore to establish whether there is a high risk the examples listed in Art. 35 para. 3 can be useful. These are a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, processing on a large scale of special categories of data, or of personal data relating to criminal convictions and offences as well as a systematic monitoring of a publicly accessible area on a large scale. As with respect to Art. 33 (→ Art. 33 mn. 9) guidelines , recommendations and best practices published by the European Data Protection Board (Art. 70 para. 1 lit. e and g) and codes of practice under Art. 40 para. 2 lit. i play an important role although they will not have a direct exonerating effect on controllers complying with them. Loss of confidentiality of personal data, especially if protected by professional secrecy, is only one example of high risk. As set out in Recital 85 loss of control over personal data, in particular loss of availability e.g. by destruction, erasure or alteration may lead to a high risk for the data subjects under Art. 34 para. 1.

II. Addressees of the communication and of the obligation to communicate

In case a high risk is likely the controller has to communicate the data breach to the natural persons whose rights and freedoms will be adversely affected by the data breach. If it cannot be ascertained for sure which data subject may be affected by the breach all potentially affected data subjects will have to be informed. These persons need not to be Union citizens or resident in the Union. Even persons outside the European Union will have to be informed if their data have been processed by the controller and are subject to the breach. Controllers not established in the Union have the same obligation if the GDPR applies to them (Art. 3 para. 2). With regard to joint controllers and processors reference is made to the comments on Art. 33 (→ Art. 33 mn. 5, 12).

 

 

 

[…]