My favourites

Chapter IV – Controller and processor (Art. 24-43)

Art. 24 GDPR - Responsibility of the controller arrow_right_alt

Art. 25 GDPR - Data protection by design and by default arrow_right_alt

Art. 26 GDPR - Joint controllers arrow_right_alt

Art. 27 GDPR - Representatives of controllers or processors not established in the Union arrow_right_alt

Art. 28 GDPR - Processor arrow_right_alt

Art. 29 GDPR - Processing under the authority of the controller or processor arrow_right_alt

Art. 30 GDPR - Records of processing activities arrow_right_alt

Art. 31 GDPR - Cooperation with the supervisory authority arrow_right_alt

Art. 32 GDPR - Security of processing arrow_right_alt

Art. 33 GDPR - Notification of a personal data breach to the supervisory authority arrow_right_alt

  1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
  2. The processor shall notify the controller without undue delay after becoming aware of a personal data breach.
  3. The notification referred to in paragraph 1 shall at least:
    1. describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
    2. communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
    3. describe the likely consequences of the personal data breach;
    4. describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
  4. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
  5. The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.
Related
Close tabsclose
  • 85
  • 87
  • 88

Recital 85

A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned. Therefore, as soon as the controller becomes aware that a personal data breach has occurred, the controller should notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the controller is able to demonstrate, in accordance with the accountability principle, that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where such notification cannot be achieved within 72 hours, the reasons for the delay should accompany the notification and information may be provided in phases without undue further delay.

Recital 87

It should be ascertained whether all appropriate technological protection and organisational measures have been implemented to establish immediately whether a personal data breach has taken place and to inform promptly the supervisory authority and the data subject. The fact that the notification was made without undue delay should be established taking into account in particular the nature and gravity of the personal data breach and its consequences and adverse effects for the data subject. Such notification may result in an intervention of the supervisory authority in accordance with its tasks and powers laid down in this Regulation.

Recital 88

In setting detailed rules concerning the format and procedures applicable to the notification of personal data breaches, due consideration should be given to the circumstances of that breach, including whether or not personal data had been protected by appropriate technical protection measures, effectively limiting the likelihood of identity fraud or other forms of misuse. Moreover, such rules and procedures should take into account the legitimate interests of law-enforcement authorities where early disclosure could unnecessarily hamper the investigation of the circumstances of a personal data breach.

Art. 34 GDPR - Communication of a personal data breach to the data subject arrow_right_alt

Art. 35 GDPR - Data protection impact assessment arrow_right_alt

Art. 36 GDPR - Prior consultation arrow_right_alt

Art. 37 GDPR - Designation of the data protection officer arrow_right_alt

Art. 38 GDPR - Position of the data protection officer arrow_right_alt

Art. 39 GDPR - Tasks of the data protection officer arrow_right_alt

Art. 40 GDPR - Codes of conduct arrow_right_alt

Art. 41 GDPR - Monitoring of approved codes of conduct arrow_right_alt

Art. 42 GDPR - Certification arrow_right_alt

Art. 43 GDPR - Certification bodies arrow_right_alt