Security Breaches / Violations
Security Breaches / Violations
Violations or security breaches of personal data may result in physical, material or immaterial damages entail physical, material or immaterial damages to the affected individuals, such as:
— Loss of control over your personal data
— Restriction of your rights
— Reputational or social damage
— Identity theft
— Financial losses
— Loss of confidentiality
— Etc.
Therefore, as soon as the data controller (the company affected by a security breach) becomes aware that a security breach of personal data has occurred, it must apply the
Action Protocol for Data Protection Security Violations
Duty to report internally
When the employee knows that there has been a breach of personal data security, for example, theft, loss or improper access (internal or external) to personal data.
Duty to inform the Data Protection Officer
The head of department or authorized person shall, without undue delay, inform his/her Data Protection Officer (if applicable) and/or contracted data protection consultants, in order to receive the necessary advice.
Duty to Notify the Control Organ
It shall notify the supervisory authority (Spanish Data Protection Agency – AEPD) taking into account the following requirements:
- Report without undue delay and if possible no later than 72 hours after the breach became known.
- Unless the controller can demonstrate, in accordance with the principle of proactive liability, that the breach of security of personal data is unlikely to result in a risk to the rights and freedoms of the data subjects.
- If such notification is not possible within 72 hours, it must be accompanied by an indication of the reasons for the delay, and information may be provided in phases without further undue delay (art. 33 RGDP).
Duty to document security breaches
The Data Controller shall provide the necessary documentation and information on the breach / security breach, including the facts related to it, its effects and the corrective measures taken. Such documentation shall enable the supervisory authority to verify compliance with the provisions of the GDPR.
Duty to Communicate security breaches to affected parties
Where the personal data security breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate it to the data subjects / data subjects without undue delay.
Failure to notify the supervisory authority
If a security breach is not notified to the AEPD, it may be considered a serious breach under Article 73, r) LOPD-GDD.
Incomplete, late or defective notification to the data protection authority of information related to a personal data security breach may also constitute a serious breach.
Such breaches may result in penalties. On the other hand, there is no penalty if the AEPD is notified of a security incident that does not qualify as a notifiable personal data security breach.
Analysis of the need to notify and report a security breach
Taking into account the importance of the above, it will be essential to have a procedure for analyzing the security violation / breach, in order to determine when it will be necessary for the Data Controller to notify the control body and communicate it to the affected parties.
In order to analyze a security breach, the categories of data affected, their volume and profile must be identified in order to calculate, based on these parameters, whether or not it is necessary to notify.
We help you
Business Adapter, will draft the protocols for action in case of a security violation / breach and will also assist you in the whole process of analysis, implementation of corrective measures and notification.
You can count on us, we are lawyers in data protection Valencia / LOPD Valencia
[su_button url=”https://businessadapter.es/contacto” target=”blank” background=”#f6f903″ color=”#181818″ size=”7″ center=”yes” icon_color=”#000000″]WE HELP YOU[/su_button]