Notification of a personal data breach to the Supervisory Authority

A personal data breach is a security incident that causes the accidental or unlawful destruction, loss or alteration of personal data processed by a data controller, or the unauthorized transmission or access to them.

A personal data breach can have a series of considerable adverse effects on individuals, likely to cause physical, material or immaterial damage; so we must try to prevent them and if they do happen, manage them properly, especially when they may put the rights and freedoms of natural persons at risk.

Article 33 of the GDPR imposes an obligation on controllers to notify the competent supervisory authority of personal data breaches where they are likely to constitute a risk to the rights and freedoms of individuals.

With the aim of helping in decision-making, the AEPD offers the ASESORA BRECHA tool.

The controller must assess the level of risk of a personal data breach and notify it to the supervisory authority when such a risk exists, and in addition where the risk is high the controller must also make a Communication of a personal data breach to the data subject  in accordance with Article 34 of the GDPR.

The deadline for notifying the supervisory authority is 72 hours from the time the organization becomes aware of the breach.

In the private sector, controllers affected by a personal data breach must notify the AEPD:

• When its only establishment is located in Spain.
• In case there are several establishments in the European Union, only when the main establishment is located in Spain.
• If they do not have any establishment in the European Union, in the event that the personal data breach has affected data subjects in Spain.

In the public sector, the Public Administrations must notify personal data breaches to the AEPD, with the exception of the case of the Autonomous Communities of:

• Andalucía
• Cataluña
• País Vasco

When personal data breaches occur in public sector entities under its jurisdiction.

Notifications of personal data breaches to the AEPD must be made electronically, using the personal data breach notification form of the Electronic Office to ensure proper compliance of the obligations of article 33.3 of the GDPR.

Notifying the supervisory authority of a breach affecting personal data is part of the accountability principle set out in the GDPR and notifying it does not necessarily imply the opening of an administrative procedure. In fact, notifying in a timely manner is evidence of the diligence of the organization, while not complying with that obligation is classified as an infraction.

However, in cases where the controller considers that there are no risks to the rights and freedoms of natural persons, the controller is obliged to document any security incident affecting personal data, including the facts related to it, its effects and the corrective measures taken, such documentation will allow the supervisory authority to verify compliance with the provisions of Article 33 of the GDPR.

In order to help with the obligation to notify personal data breaches to the supervisory authority, the AEPD offers indications in the Guidelines on Personal Data Breach Notification as well as other resources in the Innovation and Technology section.

Guidelines

• Guidelines on Personal Data Breach Notification [may 2021]
• Infographic: Personal Data Breach Communication[oct 2022]
• EDPB: Guidelines 9/2022 on personal data breach notification under the GDPR[mar 2023]
• EDPB: Guidelines 01/2021 on Examples regarding Data Breach Notification [dec 2021]

Posts

• Personal Data Breach: Security Focused on Processing [mar 2024]
• Personal Data Breaches: Development and Pre-Production Environments [apr 2022]
• Without privacy there is no cybersecurity [feb 2022]
• Personal data breaches: Ransomware and risk management [dec 2020]
• Personal data breaches: online productivity platforms [jun 2020]
• Data protection and security [apr 2020]
• Personal data security breaches: Top 5 technical measures to be taken into account [apr 2020]
• Notification of personal data security breaches during the state of alarm [apr 2020]
• Phishing Campaigns Regarding The Coronavirus [mar 2020]
• Data breach: communication to the to the data subject [feb 2020]
• Data breaches: protect yourself against the loss or theft of a portable device [oct 2019]
• Personal data breaches: what they are and how to respond [jun 2019]
• Personal data breaches: protect yourself against ransomware [may 2019]

Frequently Asked Questions (FAQs)

• Frequently Asked Questions | AEPD

Tools

• Tool to assess the personal data breach notification to the Data Protection Authority: ASESORA BRECHA [oct 2022]
• Tool to assess the obligation to communicate a personal data breach to the data subjects: COMUNICA-BRECHA RGPD [oct 2020]

Data Breach Notification Template

• Electronic office