Articles

Article 29 Data Protection Working Party issues Opinion on Personal Data Breach Notifications

Article 29 Data Protection Working Party issues Opinion on Personal Data Breach Notifications

Article 29 Data Protection Working Party issues Opinion on Personal Data Breach Notifications

15.07.2014

On 25 March 2014, the Article 29 Working Party (“WP 29”) issued Opinion 03/2014 (the “Opinion”). The Opinion provides guidance to data controllers to help them decide whether to notify data subjects about a personal data breach.

This article was co-written by Valerie Vanryckeghem

In the first part of the Opinion, the WP 29 considers the notification obligations of telecommunications service providers that are imposed by the Directive 2002/58/EC. This Directive requires personal data breaches to be notified to the competent national authority. In addition, when the data breach is likely to adversely affect the personal data or privacy of a data subject, the data controller must also notify the data subject about the breach without undue delay.

However, the Directive 2002/58/EC as well as the Proposed EU General Data Protection Regulation (the “Proposed Regulation”) contain an exemption to this notification obligation. That is, if the provider has demonstrated to the satisfaction of the competent authority that it has implemented appropriate technological protection measures to render the data unintelligible to any person who is not authorized to access it and if those measures were applied to the data concerned by the security breach, then notification of a personal data breach to a data subject is not required.

The WP 29 advises controllers to take appropriate technological and organizational measures to ensure a level of security that is appropriate to the risk represented by the processing so that they can rely on the exemption and avoid the need to notify the data subject. In this respect, the WP 29 notes that data controllers should proceed with notification when they have doubts about the likelihood of the adverse effects on the personal data or privacy of the data subjects.

In the second part of the Opinion, the WP29 lists both examples of data breaches where the affected data subjects should be notified as well as examples of cases where notification to the affected data subjects would not be required. The WP 29 also gives examples of technical measures which, if they had been in place prior to the breach, might have allowed for the avoidance of the need to notify the data subject, such as a confidentiality data breach that only concerns either encrypted data with a state of the art algorithm or salted/keyed, hashed data with a state of the art hash function (assuming all the relevant keys and salts are not compromised).

Finally, the Opinion talks about the various considerations companies face when assessing whether or not to notify the affected data subjects. The WP 29 emphasizes the need to factor in likely secondary adverse effects on the data subjects and indicates that companies should notify even if only one data subject is affected.

The Opinion can be found on http://ec.europa.eu/justice/data-protection/article-29/.

Student trainee Steffie De Cock also contributed to this article.

 

Click here to see a printable version of this article

All rights reserved. Care has been taken to ensure that the content of this e-bulletin is as accurate as possible. However the accuracy and completeness of the information in this e-bulletin, largely based upon third party sources, cannot be guaranteed. The materials contained in this e-bulletin have been prepared and provided by Stibbe for information purposes only. They do not constitute legal or other professional advice and readers should not act upon the information contained in this e-bulletin without consulting legal counsel. Consultation of this e-bulletin will not create an attorney-client relationship between Stibbe and the reader. The e-bulletin may be used only for personal use and all other uses are prohibited.

Team

Related news

06.06.2019 BE law
TMT Roundtable: Getting a handle on software quality

Roundtable - Erik Valgaeren, TMT Partner at Stibbe Brussels, and his team organize a roundtable on software quality in our Brussels office on June 6th, 2019. Software quality is a recurring theme in many matters handled by our TMT team. Whether our assistance relates to preparing tender documents, contracting effectively, assessing proper performance or allocating ownership and accountability in challenging IT projects, questions concerning software quality always arise.

Read more

27.05.2019 EU law
One year of GDPR - The regulatory warm-up

Short Reads - The first year of the General Data Protection Regulation ("GDPR") is over. Although early noises predicted an entirely new data protection regime, the European legal framework did not change substantially, the major changes being an expansion of the territorial scope to non-EU countries and stronger powers of enforcement. In spite of fears and rumours of immediate enforcement and huge fines, most regulators focused on helping companies achieve compliance, or they enforced without directly imposing fines.

Read more

21.05.2019 EU law
Part one - GDPR and Public Law - Applicability of GDPR to public bodies

Articles - Since the GDPR became applicable almost one year ago, multiple questions have arisen about its interaction with other fields of law. In this three-part blog series of “GDPR and Public Law”, we discuss three relevant issues of the interaction of GDPR with public law and government. In this blog we discuss the applicability of GDPR to public bodies.

Read more

Our website uses functional cookies for the functioning of the website and analytic cookies that enable us to generate aggregated visitor data. We also use other cookies, such as third party tracking cookies - please indicate whether you agree to the use of these other cookies:

Privacy – en cookieverklaring