View the PDF
Article 4 of the GDPR establishes that the security breaches of personal data are those incidents that cause the destruction, loss or accidental or unlawful alteration of personal data, as well as the communication or unauthorized access to them.
By application of the GDPR, the controller has an obligation to notify the personal data security breaches that could affect the data processed; that is why when the data controller knows that a security breach has occurred; he must notify it to the competent supervisory authority no later than 72 hours after the controller has noticed it. The realization of such communication before the competent supervisory authority is mandatory, unless it is unlikely that the security breach entails a risk to the rights and freedoms of natural persons.
If the security breach constitutes a high risk for the rights and freedoms of individuals, in addition to the notification of the supervisory authority, the controller must notify the security breach to the affected data subjects in a clear, simple, concise and transparent manner.
That is why the Spanish supervisory authority (Agencia Española de Protección de Datos – AEPD) has published the Guide on personal data breach management and notification which is addressed to the Controllers in order to facilitate the application of the GDPR in relation to the obligation to notify the competent supervisory authority and, where appropriate, those affected data subjects. It is a supporting document that offers preventive recommendations and action plans so the organizations have knowledge of how to avoid possible security breaches and how to act in case they occur.
For more information, view the Guide on personal data breach management and notification.