The General Regulation (EU) 2016/679 on Data Protection establishes in Articles 33 and 34 the obligation of (public and private) organisations that act as data controllers to notify the Supervisory Authority of data breaches that can cause damages to persons, and if these damages are serious, to communicate the breach to the persons whose data have been affected so they may take their own measures. The Supervisory Authority must be notified within a period of not more than 72 hours after the organisation becomes aware of the breach.
There are also other regulatory provisions that make it compulsory to notify the AEPD of data breaches, such as Article 41 of Law 9/2014 of 9 May, the General Telecommunications Act to providers of electronic communications services to the public.
In both cases, the organisations that process personal data must notify the AEPD of data breaches through the notification form available for this purpose in the Electronic Office of the AEPD.
The organisation must reflect on what has occurred, what are the consequences for the persons whose data have been affected, what technical or organisational security measures could have prevented the breach and the convenience of incorporating them, and what actions must be taken in order to avoid potential damages for persons as well as a repetition of the incident.
What underlines this obligation to notify is a wider-ranging duty of controllers to implement procedures for managing security incidents that affect personal data, adapted to the characteristics of the data processing.