Twitter fined – the 72h notification period for data protection breaches under Art. 33 GDPR knows no holidays (Part 3 of 3)
Author
Corinna StankeCompany holidays or staff shortage – every company is familiar with these when holidays or school breaks are just around the corner. The final tasks are quickly completed, and temporary replacement plans are drawn up, to who must take over what in case of an emergency. However, data protection is often forgotten. This has now also become Twitter's undoing. In a three-part series of articles, our data protection officer and company lawyer, Corinna, examines the specifics of the notification deadlines for data protection violations.
Part 3 – Data protection breach notification obligations of the controller vis-à-vis data subjects according to Art. 34 GDPR
In Part 1 and Part 2, on the occasion of the data breach of Twitter, we dealt with the notification obligation of the controller towards the supervisory authority and the notification obligation of the processor towards the controller according to Art. 33 GDPR.
In this third and final part, we will focus on the data controller's obligation to notify the data subjects under Art. 34 of the GDPR.
Three-part series of articles
To give you another idea of what is important with regard to the notification obligation under Art. 33 of the GDPR, we have summarised this for you in 3 parts. In Part 1, we explain the obligation of the controller to notify data protection breaches to the supervisory authority pursuant to Art. 33(1) of the GDPR; in Part 2, we address the question of whom the processor must notify of data protection breaches; and in Part 3, we finally address the obligation of the controller to notify data protection breaches to the data subjects pursuant to Art. 34 of the GDPR.
1. The data controller's obligation to notify the data subjects, Art. 34 GDPR
The notification obligation of the controller pursuant to Art. 33(1) GDPR is intended to ensure vis-à-vis the supervisory authority that, in the event of a data protection breach, the supervisory authority can verify whether the controller has complied with the requirements of Art. 33 GDPR. However, since the notification obligation is also intended to minimise the extent of a data breach by allowing the controller to take appropriate countermeasures, such countermeasures may also consist of the controller informing the data subjects about the data breach. Under certain circumstances, the data subjects themselves can take initial remedial measures to prevent serious damage, e.g. by blocking an account. This is to be ensured by the notification obligation according to Art. 34 GDPR.
It is questionable when you, as the controller, must also notify the data subjects of a data breach. According to Art. 34(1) of the GDPR, you must do so if the data breach is likely to result in a high risk to the personal rights and freedoms of the data subjects. You must then notify the data subject without undue delay.
2. Data breach and likely high risk
As with the notification obligation of the controller to the supervisory authority pursuant to Art. 33 (1) of the GDPR, the starting point for the notification obligation is that a data protection breach has occurred, and a risk assessment has been carried out. With regard to the prerequisites of a data protection breach and the risk assessment, reference is therefore made to Part 1, "Notification of data protection breaches by the controller to the supervisory authority pursuant to Art. 33 (1) of the GDPR". For the notification obligation pursuant to Art. 33 (1) GDPR, you as the controller already had to determine whether a data protection breach has occurred and, if so, what risk (low, medium, high) may result for the data subjects.
3. Immediate notification, form and content of the notification
In principle, the data controller must notify the data subjects of the data breach without undue delay. In contrast to Art. 33(1) of the GDPR, however, immediate notification is not linked to the fact that the data breach has become known. This is because the controller should usually consult with the supervisory authority or other authorities (e.g. law enforcement authorities) as to whether the data subjects are to be notified.
Therefore, as the controller, you generally have the opportunity to take your own appropriate measures to remedy or mitigate the data breach in close coordination with the supervisory authority before notifying the data subjects.
You must inform the data subjects about the data breach in clear and plain language in accordance with Art. 34 (2) GDPR. The information about the data breach must contain at least the information required by Art. 33 (3) b, c, d GDPR. However, since Art. 34 (2) GDPR does not prescribe a form; you should at least choose the text form for documentation purposes.
4. Exceptions to the obligation to notify
However, you do not always have to notify the data subjects in the event of a data breach as defined in Art. 34 (1) of the GDPR. Paragraph 3 of Art. 34 GDPR contains exceptions in this regard.1
a) Technical and organisational measures (prior measures)
A notification obligation does not apply if you have secured the personal data concerned by technical and organisational measures, e.g. by employing encryption methods, Art. 34 (3) a GDPR. However, the encryption, for example, must not yet have been compromised. If the personal data is encrypted, but this encryption does not correspond to the current best standards, the obligation to notify continues to exist. In the risk assessment, you usually take into account the technical and organisational measures you have taken in relation to the personal data before the data breach. This consideration will mostly lead to the exclusion of the high risk, provided that the measures taken correspond to the current best standards or are appropriate, whereby Art. 34 GDPR would, in principle, not have to be observed by you. The technical and organisational measures must be documented for the supervisory authorities' inspection options.
b) Subsequent measures
You may also be exempt from the obligation to notify if you take appropriate measures to mitigate the risk after the data breach has occurred, Art. 34(3)(b) GDPR. The prerequisite is that these measures mean that the high risk is no longer likely to exist and that no damage has yet been caused to the data subjects by the data breach. Therefore, if your previous technical and organisational measures were not sufficient, you must act quickly in terms of subsequent measures so that no damage occurs to the data subjects in the meantime. You must again document the measures taken so that the supervisory authorities may be able to assess whether the measures you have taken are sufficient. (Example of an after-the-fact measure in the event of unintentional disclosure of personal data to a third party: Conclusion of an NDA).
c) Public disclosure
Ultimately, you do not have to inform data subjects individually about the data breach if this would involve a disproportionate effort, Art. 34(3)(c) GDPR. You must then inform the data subjects via a public notice (official notice) or a similar measure (notice via the Internet), but in doing so you must observe the requirements of Art. 34(2) GDPR. As a rule, this exception may be considered for you if a large number of persons are affected by the data protection breach.
5. Powers of the supervisory authority and sanctions
If you fail to comply with the requirements of Art. 34 GDPR, you may again be subject to a fine by the supervisory authorities, Art. 83 (4a) GDPR. However, the supervisory authorities may again impose other measures (e.g. warnings) on you in addition to or instead of the fine pursuant to Art. 58 (2) GDPR.
In addition, the obligation to notify pursuant to Art. 34 (1) of the GDPR serves data subjects to assert claims for damages pursuant to Art. 82 of the GDPR based on the data protection violations.
1Article 34 GDPR in: Dejure [online] https://dejure.org/gesetze/DSGVO/34.html [21.12.2020].