Partnerblog
Examples of When To Notify Data Breaches
A personal data breach has to be notified to the competent data protection authority (DPA), except when the breach is considered “unlikely to result in a risk” (Article 33 GDPR). Data subjects also need to be notified if the breach is deemed “likely to result in a high risk” (Article 34 GDPR).
A personal data breach has to be notified to the competent data protection authority (DPA), except when the breach is considered “unlikely to result in a risk” (Article 33 GDPR). Data subjects also need to be notified if the breach is deemed “likely to result in a high risk” (Article 34 GDPR).
However, assessing the likelihood of (high) risk can pose challenges. To assist in the decision-making process for filing a data breach notification, the European Data Protection Board (EDPB) provides a comprehensive list of examples. Here, we offer a concise summary for quick reference.
- Unintentional internal errors
Many data breaches stem from internal human errors lacking malicious intent, often attributed to inattentiveness.
|
Situation |
Notify to DPA |
Inform data subject |
Remarks (*) |
|
|
1. |
Accidental e-mail with Excel file of customer data to a trusted third party (e.g. lawyer, accountant, insurance agent) |
No* |
No |
* If the third party is bound to confidentiality as a professional secrecy holder, deletion or return was ensured, and no sensitive data were transmitted. |
|
2. |
Advertising e-mail with open distribution list (cc instead of bcc) |
Yes* |
Yes** |
* If there is a large number of recipients or sensitive data, e.g. passwords or heath data. ** Information should be provided in subsequent e-mail with apology and deletion instructions. Exception only if few affected persons and no sensible content. |
|
3. |
Webshop sends orders and packing bills to wrong customer |
No |
No |
The wrong recipient should be asked to delete all data of the correct recipient. |
|
4. |
Sensitive personal data sent by e-mail by mistake |
Yes |
Yes |
|
|
5. |
Postal dispatch error of motor insurance policy |
Yes |
No* |
* If no sensitive data. The wrong recipient has to be asked to destroy or return the item and be informed that the data may not be misused. |
- Malicious actions of (former) employees
With access to critical data, data breaches can occur when employees engage in malicious actions.
|
Situation |
Notify to DPA |
Inform data subject |
Remarks (*) |
|
|
6. |
Former employee uses a company’s database to contact customers to entice them to her/his new business |
Yes |
No* |
* The sensitivity and scope of the personal data concerned must be taken into account. |
- Loss or theft of devices and paper documents
When devices (such as laptops, tablets, USB sticks, or hard drives) or paper documents get lost or stolen, the severity of a data breach is influenced by various factors. The type of data stored on the device, supporting assets, and pre-breach security measures all play a role in the assessment. Conducting a risk assessment can be challenging, as the devices are unavailable, making it difficult to make statements about categories of data, for example.
|
Situation |
Notify to DPA |
Inform data subject |
Remarks (*) |
|
|
7. |
Stolen device encrypted in accordance with the state of the art |
No* |
No* |
Unless the data is not backed up in any other way and availability is therefore impaired. |
|
8. |
Stolen device not encrypted with names, surnames, sex, addresses and date of birth of more than 100.000 customers, backup is available |
Yes |
Yes |
|
|
9. |
Stolen paper files with sensitive data |
Yes |
Yes |
- Ransomware attacks
Reporting a data breach often stems from a prevalent cybersecurity threat known as a “ransomware attack”. In these instances, malicious code encrypts personal data, and typically, attackers demand a ransom in exchange for the decryption key. This form of attack poses risks to the availability, confidentiality, and/or integrity of the data.
|
Situation |
Notify to DPA |
Inform data subject |
Remarks (*) |
|
|
10. |
Ransomware with proper backup, only encrypted data, and without exfiltration |
No* |
No |
* If quick recovery of the backup copy is possible, at least within the potential 72-hours reporting period and the hackers only had access to encrypted data |
|
11. |
Ransomware without proper backup, and without exfiltration |
Yes* |
No** |
* Revision of the technical and organisational measures should be encouraged. ** If the non-exfiltration has been verifiably determined. |
|
12. |
Ransomware in a hospital with backup and without exfiltration |
Yes |
Yes* |
* Even with existing backups, the recovery time poses a risk to patient care. |
|
13. |
Ransomware without backup and with exfiltration of employee and customers data, i.a. identity documents and financial data |
Yes |
Yes* |
* The information should be provided individually. If this is not possible, e.g. through an immediately accessible, comprehensive information / banner on the website. |
- Data exfiltration attacks: Vulnerabilities in Internet Services
Attacks leveraging vulnerabilities in services provided by the controller to third parties over the Internet, such as injection attacks (e.g., SQL injection, path traversal) and website compromises, share similarities with ransomware attacks in that they pose risks from unauthorized third-party access. However, unlike ransomware, these attacks primarily focus on copying, exfiltrating, and potentially misusing personal data. This type of breach typically compromises the confidentiality and possibly the integrity of the data.
|
Situation |
Notify to DPA |
Inform data subject |
Remarks (*) |
|
|
14. |
Exfiltration of job application form data from a website |
Yes |
Yes |
|
|
15. |
Exfiltration of hashed passwords of users of a website |
No |
No* |
*Notification of those affected is not mandatory but is recommended to give them the opportunity to change their passwords. |
|
16. |
Attack on 100.000 accounts of an online banking website with logins to approx. 2.000 customer accounts due to a vulnerability in the website |
Yes |
Yes* |
* Information for all 100.000 people affected, not just the 2.000 successful log-ins. |
|
17. |
Hackers capture usernames, passwords and purchase histories of an online retailer’s customers |
Yes |
Yes |
|
|
18. |
“Identity theft” / “social engineering”, e.g. unlawful request to change the e-mail address to which billing information has to be sent |
Yes |
Yes |
* If the real customer has not been informed about the change of the e-mail address (e.g. via an e-mail to the original e-mail address) |
This overview only contains a brief summary. For in-depth descriptions of each situation and comprehensive analysis and comments, please refer to the EDPB’s guidelines:
- Guidelines 01/2021 on Examples regarding Personal Data Breach Notification (14 December 2021)
- Guidelines 9/2022 on personal data breach notification under GDPR (28 March 2023)
Timelex provides in-depth expertise in assisting organisations with data breach notifications. If you have inquiries or require assistance, please feel free to reach out to us (frederic.debussere@timelex.eu).
More Partner Blogs
Which companies have the obligation to introduce an internal reporting channel for whistleblowers?
The European Whistleblower Directive was transposed into Belgian legislation end of 2022 (Act of...
A new European Commission proposal on foreign direct investment screening: towards greater harmonization?
On June 20, 2023, the European Commission and the High Representative for Foreign Affairs and...
Tirez parti de la technologie juridique pour définir la stratégie KPI de votre service juridique
Optimisez votre service juridique grâce à la technologie afin de gagner en efficacité et renforcer l'impact...
Considerations when contracting about AI-sytems
With the recent approval of the AI Act by the European Parliament in mid-March, it is crucial to...
Drowning in Data? Tactics for Legal Professionals to Conquer the Information Overload
Welcome to the exciting world of increasing laws and regulations, where each choice proves how...