Articles

Article 29 Data Protection Working Party issues Opinion on Personal Data Breach Notifications

Article 29 Data Protection Working Party issues Opinion on Personal Data Breach Notifications

Article 29 Data Protection Working Party issues Opinion on Personal Data Breach Notifications

15.07.2014

On 25 March 2014, the Article 29 Working Party (“WP 29”) issued Opinion 03/2014 (the “Opinion”). The Opinion provides guidance to data controllers to help them decide whether to notify data subjects about a personal data breach.

This article was co-written by Valerie Vanryckeghem

In the first part of the Opinion, the WP 29 considers the notification obligations of telecommunications service providers that are imposed by the Directive 2002/58/EC. This Directive requires personal data breaches to be notified to the competent national authority. In addition, when the data breach is likely to adversely affect the personal data or privacy of a data subject, the data controller must also notify the data subject about the breach without undue delay.

However, the Directive 2002/58/EC as well as the Proposed EU General Data Protection Regulation (the “Proposed Regulation”) contain an exemption to this notification obligation. That is, if the provider has demonstrated to the satisfaction of the competent authority that it has implemented appropriate technological protection measures to render the data unintelligible to any person who is not authorized to access it and if those measures were applied to the data concerned by the security breach, then notification of a personal data breach to a data subject is not required.

The WP 29 advises controllers to take appropriate technological and organizational measures to ensure a level of security that is appropriate to the risk represented by the processing so that they can rely on the exemption and avoid the need to notify the data subject. In this respect, the WP 29 notes that data controllers should proceed with notification when they have doubts about the likelihood of the adverse effects on the personal data or privacy of the data subjects.

In the second part of the Opinion, the WP29 lists both examples of data breaches where the affected data subjects should be notified as well as examples of cases where notification to the affected data subjects would not be required. The WP 29 also gives examples of technical measures which, if they had been in place prior to the breach, might have allowed for the avoidance of the need to notify the data subject, such as a confidentiality data breach that only concerns either encrypted data with a state of the art algorithm or salted/keyed, hashed data with a state of the art hash function (assuming all the relevant keys and salts are not compromised).

Finally, the Opinion talks about the various considerations companies face when assessing whether or not to notify the affected data subjects. The WP 29 emphasizes the need to factor in likely secondary adverse effects on the data subjects and indicates that companies should notify even if only one data subject is affected.

The Opinion can be found on http://ec.europa.eu/justice/data-protection/article-29/.

Student trainee Steffie De Cock also contributed to this article.

 

Click here to see a printable version of this article

All rights reserved. Care has been taken to ensure that the content of this e-bulletin is as accurate as possible. However the accuracy and completeness of the information in this e-bulletin, largely based upon third party sources, cannot be guaranteed. The materials contained in this e-bulletin have been prepared and provided by Stibbe for information purposes only. They do not constitute legal or other professional advice and readers should not act upon the information contained in this e-bulletin without consulting legal counsel. Consultation of this e-bulletin will not create an attorney-client relationship between Stibbe and the reader. The e-bulletin may be used only for personal use and all other uses are prohibited.

Team

Related news

22.02.2019 BE law
Sarah De Wulf on challenges of SAP contracts and indirect use during a Beltug seminar.

Speaking slot - Sarah De Wulf, junior TMT associate, discusses SAP licensing agreements during a Beltug seminar on 20 February 2019. Many of the Beltug members are customers of SAP and face daily questions and challenges regarding SAP's software licensing policies.  These questions include (among others): how the licence models will evolve (especially in terms of the growth of cloud services) and how to cope with indirect access.

Read more

21.03.2019 NL law
15 aspects of Brexit you did not know

Short Reads - A Brexit without a deal, or with a deal that does not cover all relevant aspects, is still a potential scenario. We have highlighted a number of unexpected legal consequences of Brexit in such a no deal or incomplete deal scenario.

Read more

18.02.2019 EU law
Erik Valgaeren moderates a panel on Data Governance and Compliance during IBA's Silicon Beach Conference

Speaking slot - The discussion topic will cover various legal aspects relating to data lifecycle management, both for personal and non personal data. These aspects will include rights in and obligations regarding data, such retention obligations and portability rights. Practical suggestions on holistic data management and the role of the chief data officer will be debated.

Read more

Our website uses cookies: third party analytics cookies to best adapt our website to your needs & cookies to enable social media functionalities. For more information on the use of cookies, please check our Privacy and Cookie Policy. Please note that you can change your cookie opt-ins at any time via your browser settings.

Privacy – en cookieverklaring