Examples of When To Notify Data Breaches

A personal data breach has to be notified to the competent data protection authority (DPA), except when the breach is considered “unlikely to result in a risk” (Article 33 GDPR). Data subjects also need to be notified if the breach is deemed “likely to result in a high risk” (Article 34 GDPR).

A personal data breach has to be notified to the competent data protection authority (DPA), except when the breach is considered “unlikely to result in a risk” (Article 33 GDPR). Data subjects also need to be notified if the breach is deemed “likely to result in a high risk” (Article 34 GDPR).

However, assessing the likelihood of (high) risk can pose challenges. To assist in the decision-making process for filing a data breach notification, the European Data Protection Board (EDPB) provides a comprehensive list of examples. Here, we offer a concise summary for quick reference.

  1. Unintentional internal errors

Many data breaches stem from internal human errors lacking malicious intent, often attributed to inattentiveness.

 

Situation

Notify to DPA

Inform data subject

Remarks (*)

1. 

Accidental e-mail with Excel file of customer data to a trusted third party (e.g. lawyer, accountant, insurance agent)

No*

No

* If the third party is bound to confidentiality as a professional secrecy holder, deletion or

return was ensured, and no sensitive data were transmitted.

2. 

Advertising e-mail with open distribution list (cc instead of

bcc)

Yes*

Yes**

* If there is a large number of recipients or

sensitive data, e.g. passwords or heath data.

** Information should be provided

in subsequent e-mail with apology and

deletion instructions. Exception only if few

affected persons and no sensible content.

3. 

Webshop sends orders and packing bills to wrong customer

No

No

The wrong recipient should be asked to delete all data of the correct recipient.

4. 

Sensitive personal data sent by e-mail by mistake

Yes

Yes

 

5. 

Postal dispatch

error of motor

insurance policy

Yes

No*

* If no sensitive data. The wrong recipient has to be asked to destroy or return the item and be informed that the data may not be misused.

 

  1. Malicious actions of (former) employees

With access to critical data, data breaches can occur when employees engage in malicious actions.

 

Situation

Notify to DPA

Inform data subject

Remarks (*)

6. 

Former employee uses a company’s database to contact customers to entice them to her/his new business

Yes

No*

* The sensitivity and scope of the personal data concerned must be taken into account.

 

  1. Loss or theft of devices and paper documents

When devices (such as laptops, tablets, USB sticks, or hard drives) or paper documents get lost or stolen, the severity of a data breach is influenced by various factors. The type of data stored on the device, supporting assets, and pre-breach security measures all play a role in the assessment. Conducting a risk assessment can be challenging, as the devices are unavailable, making it difficult to make statements about categories of data, for example.

 

Situation

Notify to DPA

Inform data subject

Remarks (*)

7. 

Stolen device encrypted in accordance with the state of the art

No*

No*

Unless the data is not backed up in any other way and availability is therefore impaired.

8. 

Stolen device not encrypted with names, surnames, sex, addresses and date of birth of more than 100.000 customers, backup is available

Yes

Yes

 

9. 

Stolen paper files with sensitive data

Yes

Yes

 

 

  1. Ransomware attacks

Reporting a data breach often stems from a prevalent cybersecurity threat known as a “ransomware attack”. In these instances, malicious code encrypts personal data, and typically, attackers demand a ransom in exchange for the decryption key. This form of attack poses risks to the availability, confidentiality, and/or integrity of the data.

 

Situation

Notify to DPA

Inform data subject

Remarks (*)

10.             

Ransomware with proper backup, only encrypted data, and without exfiltration

No*

No

* If quick recovery of the backup copy is possible, at least within the potential 72-hours reporting period and the hackers only had access to encrypted data

11.             

Ransomware without proper backup, and without exfiltration

Yes*

No**

* Revision of the technical and organisational measures should be encouraged.

** If the non-exfiltration has been verifiably determined.

12.             

Ransomware in a hospital with backup and without exfiltration

Yes

Yes*

* Even with existing backups, the recovery time poses a risk to patient care.

13.             

Ransomware without backup and with exfiltration of employee and customers data, i.a. identity documents and financial data

Yes

Yes*

* The information should be provided individually. If this is not possible, e.g. through an immediately accessible, comprehensive information / banner on the website.

 

  1. Data exfiltration attacks: Vulnerabilities in Internet Services

Attacks leveraging vulnerabilities in services provided by the controller to third parties over the Internet, such as injection attacks (e.g., SQL injection, path traversal) and website compromises, share similarities with ransomware attacks in that they pose risks from unauthorized third-party access. However, unlike ransomware, these attacks primarily focus on copying, exfiltrating, and potentially misusing personal data. This type of breach typically compromises the confidentiality and possibly the integrity of the data.

 

Situation

Notify to DPA

Inform data subject

Remarks (*)

14.             

Exfiltration of job application form data from a website

Yes

Yes

 

15.             

Exfiltration of hashed passwords of users of a website

No

No*

*Notification of those affected is not mandatory but is recommended to give them the opportunity to change their passwords.

16.             

Attack on 100.000 accounts of an online banking website with logins to approx. 2.000 customer accounts due to a vulnerability in the website

Yes

Yes*

* Information for all 100.000 people affected, not just the 2.000 successful log-ins.

17.             

Hackers capture usernames, passwords and purchase histories of an online retailer’s customers

Yes

Yes

 

18.             

“Identity theft” / “social engineering”, e.g. unlawful request to change the e-mail address to which billing information has to be sent

Yes

Yes

* If the real customer has not been informed about the change of the e-mail address (e.g. via an e-mail to the original e-mail address)


This overview only contains a brief summary. For in-depth descriptions of each situation and comprehensive analysis and comments, please refer to the EDPB’s guidelines:

Timelex provides in-depth expertise in assisting organisations with data breach notifications. If you have inquiries or require assistance, please feel free to reach out to us (frederic.debussere@timelex.eu).

More Partner Blogs


19 februari 2024

Val duchesse summit 2024 to boost eu social dialogue

On 31 January 2024, The Val Duchesse Social Partners Summit was hosted by the European Commission...

Lees meer...

16 februari 2024

Five Frequently Asked Questions on Generative AI and Copyright

The recent uptake of generative AI systems such as ChatGPT, DALL-E and Midjourney sparks numerous...

Lees meer...

12 februari 2024

Amendment of the Chain Liability Regulations for illegal employment of third-country nationals in the Flemish Region

Due to a few recent cases where illegal employment and human trafficking were discovered at large...

Lees meer...

08 februari 2024

Legal Agility: Drive change in your Legal Department

Embarking on a journey of transformative change within legal departments requires more than just...

Lees meer...

01 februari 2024

Surely the Kids are Safe? – What the European Commission’s Updated Guidance Says About Joint Venture Agreements

What the European Commission’s Updated Guidance Says About Joint Venture Agreements

Lees meer...