Notification of a personal data breach to the Supervisory Authority

A personal data breach can have a series of considerable adverse effects on individuals, likely to cause physical, material or immaterial damage; so we must try to prevent them and if they do happen, manage them properly, especially when they may put the rights and freedoms of natural persons at risk.

Article 34 of the GDPR imposes an obligation on data controllers to inform the data subjects of personal data breaches that may pose a high risk to their rights and freedoms.

The data controller must assess the level of risk of a personal data breach and in those cases in which it determines that the risk to the rights and freedoms of persons may be high, shall communicate the breach to those affected and notify it to the competent supervisory authority in accordance with article 33 of the GDPR.

With the aim of helping in decision-making, the AEPD offers the Comunica-Brecha GDPR tool.

Check out this infographic to learn more about the requirements for good communication to those affected.

Communication to affected persons should be in clear and simple language, specifically addressed to those persons for whom there is a high risk that their rights and freedoms may be harmed, and include the following minimum content:

• Contact details of the DPO, or where applicable, the contact point where more information can be obtained.
• General description of the incident and the time it occurred.
• The possible consequences of the personal data breach.
• Description of the data and personal information affected.
• Summary of the measures implemented so far to control possible damage.
• Other useful information so that those affected can protect their data or prevent possible damage.

Communication shall be made directly to the affected person, either by telephone, email, SMS, through postal mail, or through any other means addressed to the affected party that the controller considers appropriate.

When the communication to those affected involves a disproportionate effort in relation to the risks to the rights and freedoms that the data subjects are suffering, an indirect communication may be made through public notices.

In such a case, the public notice will occupy a prominent place, so that in no case can it go unnoticed.

An incomplete communication (without the minimum content), difficult to access or made to the wrong people is not effective, so a communication under these conditions could be considered a communication not made.

With the aim of helping with the obligation to communicate personal data breaches to affected persons, the AEPD offers indications in the Guide for the notification of personal data  breaches as well as other resources in the innovation and technology section.

Blog de la AEPD

• Brechas de datos personales: seguridad enfocada a los tratamientos [mar 2024]
• Brechas de datos personales: entornos de desarrollo y preproducción [abr 2022]
• Sin privacidad no hay ciberseguridad [feb 2022]
• Brechas de seguridad: el correo electrónico y las plataformas de productividad online [jun 2020]
• Brechas de seguridad: El Top 5 de las medidas técnicas que debes tener en cuenta [abr 2020]
• Notificación de brechas de seguridad de los datos personales durante el estado de alarma [abr 2020]
• Campañas de phishing sobre el COVID-19 [mar 2020]
• Brechas de seguridad: comunicación a los interesados [feb 2020]
• Brechas de seguridad: protégete ante la pérdida o robo de un dispositivo portátil [oct 2019]
• Brechas de seguridad de datos personales: qué son y cómo actuar[jun 2019]
• Brechas de seguridad: protégete ante el ransomware[may 2019]
• Qué son las brechas de seguridad, cómo te pueden afectar y cómo protegerte[mar 2017]

FAQS

• Preguntas frecuentes (FAQs)

• Guía para la Gestión y Notificación de Brechas de Datos Personales [jun 2021]

• EDPB: Guidelines 9/2022 on personal data breach notification under the GDPR [mar 2023]

• EDPB: Guidelines 01/2021 on Examples regarding Data Breach Notification [dic 2021]

• Herramienta Comunica-Brecha RGPD

• Cómo gestionar una fuga de información en un despacho de abogados [sept 2019]

• Sede Electrónica