The General Regulation on the Protection of Personal Data (the Regulation) introduces a new obligation [1] for the controller, in the event of a security breach/breach of personal data, [2] to notify the supervisory authority and the concerned personal data subject.

By transposing the Regulation into the new legal solution, the controller will have the obligation to notify the DZLP about the breach of security, i.e. violation of personal data, only if there is a probability that the breach/injury poses a risk to the rights and freedoms of individuals. At the same time, for each specific violation/violation, the controller will assess whether he has the obligation to notify the DZLP or not.[3]

In the event that there is a possibility that the violation of security, that is, the violation of personal data will cause a high risk for the rights and freedoms of the individual, the controller will directly notify the subject of personal data . [4]

The notification to the DZLP will contain the following information:

  • description of the nature of the breach/injury and if possible the categories and approximate number of affected entities and categories and approximate number of affected personal data records;
  • the name and contact details of the OZLP or other point of contact when more information needs to be provided;
  • description of possible consequences;
  • a description of measures proposed or taken by the controller to deal with the disturbance/injury or to reduce the negative effects.

The content of the notice to the subject of personal data will be the same, but the nature of the breach/injury should be described in simpler language.

The notification will be made in the following way:

Without undue delay and if practicable, no later than 72 hours after the controller becomes aware of the breach/infringement. When the notification is submitted within a period longer than 72 hours, the reasons for the delay should be attached to it.

Obligation to document:

The controller will have the obligation to document the breach of security, i.e. the violation of personal data, including the facts related to the breach/injury, the consequences and the actions taken to deal with it. The documentation will enable the DZLP to verify compliance with this Article.

For controllers in the field of electronic communications, this obligation is already foreseen by the Law on Electronic Communications.[5]

The notification of violation of personal data security that the operator submits to AEK and the Directorate for Personal Data Protection can be submitted through the e-report web application available at the following link .

[1] The basis for introducing this obligation in the Regulation is Article 4 paragraph 2 of the Privacy and Electronic Communications Directive 2002/58/EC, known as the “E-Privacy Directive”.

[2] A breach of security/violation of personal data will be considered: physical, material or non-material damage to the subject of personal data, such as loss of control over his personal data, restriction of his rights, discrimination, identity theft, fraud with false identity, financial losses, breach of confidentiality of personal data or any other significant economic or social adverse consequences for the subject concerned.

[3] Example: The controller will notify the DZLP about the loss of user data, which could result in identity theft, but will not notify the DZLP about the loss of data in the list of employees’ official telephone numbers, because this breach does not pose a risk to the rights and the freedoms of individuals.

[4] The controller will not have the obligation to notify the subject of personal data about the violation/violation, if one of the following conditions is met:

  • the controller has taken appropriate technical and organizational measures for protection, including in relation to the personal data affected by the breach/injury;
  • the controller has taken follow-up measures that ensure that there is no longer a probability of a high risk for the freedoms and rights of the subject;
  • the notification would lead to disproportionate efforts, for which a public notification is made or another way of informing the subject is required.

If the controller has not notified the subject, and the DZLP considers that a specific violation/violation poses a high risk to his freedoms and rights, the DZLP can ask the controller:

  • to notify the subject of the same or
  • to pronounce that one of the conditions in which there is no reporting obligation is met.

[5] Article 167 of the Law on Electronic Communications