Notification of personal data security breaches during the state of alarm
The critical situation caused by the COVID-19 pandemic at a global level has forced us to change our habits radically, to adopt social distancing measures and to use teleworking tools in order to continue performing professional tasks. This has led to an increase in risks and threats that take advantage of the need for information regarding the coronavirus to carry out any kinds of cyberattacks.
Organisations must be very careful in this situation, as the possibility of suffering a personal data security breach increases.
The third additional provision on the suspension of administrative deadlines established by Royal Decree 463/2020, under which the state of alarm was established in Spain on 16 March 2020 to fight the pandemic, states that "terms are suspended and deadlines for the processing of procedures of public sector entities are interrupted", which has led some controllers to raise doubts as to whether or not they are obliged to notify security breaches.
Firstly, it should be noted that, as the Agency has stated in its "Communication on Coronavirus Self-assessment Apps and Websites", this emergency cannot imply a suspension of the fundamental right to the protection of personal data.
The obligations established by Regulation EU 2016/679 GDPR and LOPDGDD regarding the notification of personal data security breaches, as well as the obligation to inform the data subjects in case these entail a high risk for the rights and freedoms of natural persons, are aimed at creating a society that is more resilient to security incidents that may undermine our fundamental rights. The aforementioned suspension is without prejudice to the obligation to notify security breaches affecting personal data, thus controllers are obliged to notify the Agency.
In these moments of special vulnerability, it is more important than ever to know the incidents that may occur regarding the protection of personal data, providing information that allows the Supervisory Authorities and the citizens to adopt the necessary protection measures and to build trust in the functioning of our system.
Data controllers and processors must continue to fulfil their obligations if they detect a personal data security breach that constitutes a risk to the rights and freedoms of natural persons. They must notify said breaches to the Supervisory Authority within 72 hours. This notification will be submitted by electronic means through the Electronic Office of the AEPD, and they will have the option to make an initial notification within the established period if they do not have all the necessary information on the breach. Subsequently, when all the necessary information is gathered, the information provided may be extended by means of an additional notification.
Likewise, where the personal data security breach is likely to pose a high risk to the rights and freedoms of natural persons, the controller will also inform the data subject as soon as possible; this communication is particularly relevant to data subjects in periods of special vulnerability, such as the current situation.
As reference material, we recommend consulting the Guide on Personal Data Breach Management and Notification published by the AEPD.