Articles

Article 29 Data Protection Working Party issues Opinion on Personal Data Breach Notifications

Article 29 Data Protection Working Party issues Opinion on Personal Data Breach Notifications

Article 29 Data Protection Working Party issues Opinion on Personal Data Breach Notifications

15.07.2014

On 25 March 2014, the Article 29 Working Party (“WP 29”) issued Opinion 03/2014 (the “Opinion”). The Opinion provides guidance to data controllers to help them decide whether to notify data subjects about a personal data breach.

This article was co-written by Valerie Vanryckeghem

In the first part of the Opinion, the WP 29 considers the notification obligations of telecommunications service providers that are imposed by the Directive 2002/58/EC. This Directive requires personal data breaches to be notified to the competent national authority. In addition, when the data breach is likely to adversely affect the personal data or privacy of a data subject, the data controller must also notify the data subject about the breach without undue delay.

However, the Directive 2002/58/EC as well as the Proposed EU General Data Protection Regulation (the “Proposed Regulation”) contain an exemption to this notification obligation. That is, if the provider has demonstrated to the satisfaction of the competent authority that it has implemented appropriate technological protection measures to render the data unintelligible to any person who is not authorized to access it and if those measures were applied to the data concerned by the security breach, then notification of a personal data breach to a data subject is not required.

The WP 29 advises controllers to take appropriate technological and organizational measures to ensure a level of security that is appropriate to the risk represented by the processing so that they can rely on the exemption and avoid the need to notify the data subject. In this respect, the WP 29 notes that data controllers should proceed with notification when they have doubts about the likelihood of the adverse effects on the personal data or privacy of the data subjects.

In the second part of the Opinion, the WP29 lists both examples of data breaches where the affected data subjects should be notified as well as examples of cases where notification to the affected data subjects would not be required. The WP 29 also gives examples of technical measures which, if they had been in place prior to the breach, might have allowed for the avoidance of the need to notify the data subject, such as a confidentiality data breach that only concerns either encrypted data with a state of the art algorithm or salted/keyed, hashed data with a state of the art hash function (assuming all the relevant keys and salts are not compromised).

Finally, the Opinion talks about the various considerations companies face when assessing whether or not to notify the affected data subjects. The WP 29 emphasizes the need to factor in likely secondary adverse effects on the data subjects and indicates that companies should notify even if only one data subject is affected.

The Opinion can be found on http://ec.europa.eu/justice/data-protection/article-29/.

Student trainee Steffie De Cock also contributed to this article.

 

Click here to see a printable version of this article

All rights reserved. Care has been taken to ensure that the content of this e-bulletin is as accurate as possible. However the accuracy and completeness of the information in this e-bulletin, largely based upon third party sources, cannot be guaranteed. The materials contained in this e-bulletin have been prepared and provided by Stibbe for information purposes only. They do not constitute legal or other professional advice and readers should not act upon the information contained in this e-bulletin without consulting legal counsel. Consultation of this e-bulletin will not create an attorney-client relationship between Stibbe and the reader. The e-bulletin may be used only for personal use and all other uses are prohibited.

Team

Related news

29.07.2020 NL law
Over temperaturen ten tijde van corona

Articles - Met haar standpunt ten aanzien van het meten van temperaturen van werknemers, geeft de Autoriteit Persoonsgegevens (AP) verduidelijking over de reikwijdte van haar toezicht. Deze nuancering houdt in dat, als er geen sprake is van verwerking van persoonsgegevens, de AVG niet geldt en de AP dus niet handhavend kan optreden.

Read more

03.07.2020 NL law
E-book NOW-2: Second Temporary Emergency Bridging Measure Work Retention

Articles - On 17 March 2020, the Dutch cabinet announced the first emergency package of support measures to alleviate the economic consequences of the corona crisis. This emergency package inter alia comprised the First Temporary Emergency Bridging Measure for the purpose of Work Retention (“NOW-1”) and the Temporary Bridging Measure for Self-Employed Persons (“Tozo-1”).

Read more

27.07.2020 NL law
Outsourcing laws and Regulation in the Netherlands – 2020

Articles - Are there any additional legal or regulatory requirements for outsourcing transactions undertaken by government or public sector bodies? What formalities are required to transfer, lease or license assets on an outsourcing transaction? Or, What are the most material legal or regulatory requirements and issues concerning data security and data protection that may arise on an outsourcing transaction?

Read more

03.07.2020 NL law
E-book NOW-2: Tweede tijdelijke noodmaatregel overbrugging voor behoud van werkgelegenheid

Articles - Op 17 maart 2020 kondigde het kabinet het eerste noodpakket aan met steunmaatregelen om de economische gevolgen van de coronacrisis te dempen. Onderdeel van dit noodpakket zijn onder andere de Eerste tijdelijke noodmaatregel overbrugging voor behoud van werkgelegenheid (“NOW-1”) en de Tijdelijke overbruggingsregeling zelfstandige ondernemers (“Tozo-1”).

Read more