Before you begin to address a personal data security breach, you need to recognize whether it is such an event.
In the Personal Data Protection Law, the violation is defined as:
“any breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed”.
” Destruction ” of personal data is the moment when the data no longer exists or no longer exists in the form in which you used it.
” Modification ” of personal data is when the personal data is altered, corrupted or no longer considered complete.
” Loss ” of personal data should be interpreted as the possible existence of the data, but you have lost control over or access to it, or the data is no longer in your possession.
” Unauthorized or illegal processing ” may include disclosure of personal data (or provision of access to data) to users who are not authorized to obtain or access the data, or some other form of processing that is contrary to the Personal Data Protection Law.
An example of loss of personal data could be a situation where a device containing a copy of your customer database is stolen or lost.
Another example of personal data loss could be a situation where the only copy of personal data is encrypted by a hacker with ransomware (malware) or it is encrypted by you with a key that is no longer in your possession.
A breach is a type of security incident, but the Personal Data Protection Law applies only in the event of a breach of personal data security. Hence, although all breaches are considered security incidents, not all security incidents necessarily involve a breach of personal data security. A consequence of the violation of the security of personal data includes non-compliance with the principles related to the processing of personal data.
In the event of a security breach of personal data, you are obliged to notify us immediately and no later than 72 hours after you have learned about it, unless there is a probability that the breach of security will result in a risk after the first and the freedoms of natural persons.
If you notify us after the expiration of the 72-hour period, together with the notification, you should provide us with an explanation of the reasons for the delay.
The notice was delivered by:
Personal Data Protection Agency
Blvd. “Goce Delchev” no. 18, 1000 Skopje PO Box 417
incident[at] privacy.mk