Security Breaches / Violations

Security Breaches / Violations

Violations or security breaches of personal data may result in physical, material or immaterial damages entail physical, material or immaterial damages to the affected individuals, such as:

Loss of control over your personal data

Restriction of your rights

Reputational or social damage

— Identity theft

— Financial losses

Loss of confidentiality

Etc.

Therefore, as soon as the data controller (the company affected by a security breach) becomes aware that a security breach of personal data has occurred, it must apply the

Action Protocol for Data Protection Security Violations

Duty to report internally

When the employee knows that there has been a breach of personal data security, for example, theft, loss or improper access (internal or external) to personal data.

Duty to inform the Data Protection Officer

The head of department or authorized person shall, without undue delay, inform his/her Data Protection Officer (if applicable) and/or contracted data protection consultants, in order to receive the necessary advice.

Duty to Notify the Control Organ

It shall notify the supervisory authority (Spanish Data Protection Agency – AEPD) taking into account the following requirements:

  • Report without undue delay and if possible no later than 72 hours after the breach became known.
  • Unless the controller can demonstrate, in accordance with the principle of proactive liability, that the breach of security of personal data is unlikely to result in a risk to the rights and freedoms of the data subjects.
  • If such notification is not possible within 72 hours, it must be accompanied by an indication of the reasons for the delay, and information may be provided in phases without further undue delay (art. 33 RGDP).

Duty to document security breaches

The Data Controller shall provide the necessary documentation and information on the breach / security breach, including the facts related to it, its effects and the corrective measures taken. Such documentation shall enable the supervisory authority to verify compliance with the provisions of the GDPR.

Duty to Communicate security breaches to affected parties

Where the personal data security breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate it to the data subjects / data subjects without undue delay.

Failure to notify the supervisory authority

If a security breach is not notified to the AEPD, it may be considered a serious breach under Article 73, r) LOPD-GDD.

Incomplete, late or defective notification to the data protection authority of information related to a personal data security breach may also constitute a serious breach.

Such breaches may result in penalties. On the other hand, there is no penalty if the AEPD is notified of a security incident that does not qualify as a notifiable personal data security breach.

Analysis of the need to notify and report a security breach

Taking into account the importance of the above, it will be essential to have a procedure for analyzing the security violation / breach, in order to determine when it will be necessary for the Data Controller to notify the control body and communicate it to the affected parties.

In order to analyze a security breach, the categories of data affected, their volume and profile must be identified in order to calculate, based on these parameters, whether or not it is necessary to notify.

We help you

Business Adapter, will draft the protocols for action in case of a security violation / breach and will also assist you in the whole process of analysis, implementation of corrective measures and notification.

You can count on us, we are lawyers in data protection Valencia / LOPD Valencia

[su_button url=”https://businessadapter.es/contacto” target=”blank” background=”#f6f903″ color=”#181818″ size=”7″ center=”yes” icon_color=”#000000″]WE HELP YOU[/su_button]

Contact us, we will be pleased to help you.
error: Content is protected !!