Communication of a personal data breach to the data subject

Última modificación:

A personal data breach can have a series of considerable adverse effects on individuals, likely to cause physical, material or immaterial damage; so we must try to prevent them and if they do happen, manage them properly, especially when they may put the rights and freedoms of natural persons at risk.

Article 34 of the GDPR imposes an obligation on data controllers to inform the data subjects of personal data breaches that may pose a high risk to their rights and freedoms.

The data controller must assess the level of risk of a personal data breach and in those cases in which it determines that the risk to the rights and freedoms of persons may be high, shall communicate the breach to those affected and notify it to the competent supervisory authority in accordance with article 33 of the GDPR.

With the aim of helping in decision-making, the AEPD offers the Comunica-Brecha GDPR tool.

Check out this infographic to learn more about the requirements for good communication to those affected.

Communication to affected persons should be in clear and simple language, specifically addressed to those persons for whom there is a high risk that their rights and freedoms may be harmed, and include the following minimum content:

  • Contact details of the DPO, or where applicable, the contact point where more information can be obtained.
  • General description of the incident and the time it occurred.
  • The possible consequences of the personal data breach.
  • Description of the data and personal information affected.
  • Summary of the measures implemented so far to control possible damage.
  • Other useful information so that those affected can protect their data or prevent possible damage.

Communication shall be made directly to the affected person, either by telephone, email, SMS, through postal mail, or through any other means addressed to the affected party that the controller considers appropriate.

When the communication to those affected involves a disproportionate effort in relation to the risks to the rights and freedoms that the data subjects are suffering, an indirect communication may be made through public notices.

In such a case, the public notice will occupy a prominent place, so that in no case can it go unnoticed.

An incomplete communication (without the minimum content), difficult to access or made to the wrong people is not effective, so a communication under these conditions could be considered a communication not made.

With the aim of helping with the obligation to communicate personal data breaches to affected persons, the AEPD offers indications in the Guide for the notification of personal data breaches as well as other resources in the innovation and technology section.