Guidelines 01/2021on Examples Regarding Data Breach Notification

On 18 January 2021 the European Data Protection Board announced the notification for public consultation. Comments should be sent by 2 March 2021.

The General Data Protection Regulation (GDPR) introduces the requirement for a personal data breach to be notified to the competent national supervisory authority (hereinafter “SA”) and, in certain cases, to communicate the breach to the individuals whose personal data have been affected by the breach (Articles 33 and 34).

The Article 29 Working Party already produced a general guidance on data breach notification in October 2017, analysing the relevant Sections of the GDPR (Guidelines on Personal data breach notification under Regulation 2016/679, WP 250) (hereinafter “Guidelines WP 250”). However, due to its nature and timing, this guideline did not address all practical issues in sufficient detail. Therefore, the need has arisen for a practice-oriented, case-based guidance that utilizes the experiences gained by SAs since the GDPR is applicable.

This document is intended to complement the Guidelines WP 250 and it reflects the common experiences of the SAs of the EEA since the GDPR became applicable. Its aim is to help data controllers in deciding how to handle data breaches and what factors to consider during risk assessment.

Read the pdf 
Copyright Widler & Schiemann AG 2020. All Rights Reserved. /