logo_klein
Data Breach – What to Do in Case of a Data Incident?
Data Breach – What to Do in Case of a Data Incident?

Many entrepreneurs only take precautions after a data breach has already occurred. However, it is crucial to have a corresponding plan in place before a data protection violation occurs. Quick action is required once a data breach is identified. Typically, there is only a 72-hour window from the awareness of the data breach to decide whether to report the data protection violation to the data protection authority and to prepare any necessary notifications.

What constitutes a Data Breach?

According to the General Data Protection Regulation (GDPR), a "violation of the protection of personal data" occurs whenever there is destruction, loss, alteration, or unauthorized disclosure or access to personal data (Article 4(12) GDPR). Whether the data protection violation was intentional or unlawfully caused is irrelevant. Accidental file deletion by an employee is considered a data protection violation, just as a hacker attack that illegally accesses the company's personal data.

Narrow 72-hour Timeframe

If a violation of the protection of personal data has occurred, the responsible party must report this violation to the data protection authority within 72 hours. Reporting is only unnecessary if there is only a low risk to the rights and freedoms of the affected individuals, a risk that must be accurately assessed. The European Union Agency for Cybersecurity (ENISA) has developed guidelines for this purpose, although the European Data Protection Board (EDPB) and its predecessor view this schematic scoring critically. If one is unable to assess the risk, it is advisable to err on the side of reporting.

Once the risk has been assessed, and if the conclusion is that more than a low risk exists, the notification should be prepared accordingly. It is recommended to use the data protection authority's form. If all information regarding the data protection violation is not available within 72 hours, the missing information must be promptly submitted. This should be indicated in the notification. A detailed description of the incident and the remedial measures are crucial components of the notification. Ideally, the matter should be concluded with the submission of the notification and the implementation of remedial measures.

Documentation in Case of Non-Reporting

If, from a risk perspective, a decision is made against reporting, the data breach should still be meticulously documented to address any inquiries from the authority. The circumstances of the data breach may become known to the authority during the course of a complaint on another matter. In such cases, the decision not to report must be explained.

Calculating Deadlines for a Data Breach

Documentation and/or reporting of a data protection incident can tie up significant resources within a company. Hackers often exploit periods of low staffing in companies, such as extended holidays or vacation times, to gain access to personal data. In calculating deadlines, holidays and weekends must also be included. The REGULATION (EEC, EURATOM) NO 1182/71, not national law, applies to deadline calculations. This means the deadline must be at least two working days (Article 3(5) REGULATION (EEC, EURATOM) NO 1182/71). However, there is some ambiguity in the wording of the regulation, and some data protection authorities may interpret it differently. In doubt, it is advisable to adhere to the 72-hour timeframe. Seeking external assistance in the event of a data breach is recommended if the deadline cannot be met otherwise, or if the company lacks the necessary expertise for the legal assessment of the incident.

Do you have further questions in data protection law?

Do you need assistance with a data protection incident or want legal advice in other areas of data protection law from an attorney? As attorneys specializing in these and other legal areas, we invite you to contact our law firm at office@geuer.at or by phone at +43-1-4380072. We look forward to your inquiry.

Sources

Art 29 Datenschutzgruppe zu Data Breach

ENISA Scoring

EU-FristenVO

Scroll to Top