In accordance with European Commission Regulation (EU) No. 611/2013 of 24 June 2013, which entered into force on 25 August 2013, providers of publicly available electronic communications services, such as fixed or mobile telephone companies or Internet service providers, shall notify the CNPD no later than 24 hours after the detection of the personal data breach and inform their subscribers if the incident is likely to adversely affect their personal data or privacy.
The regulation defines personal data breaches as “breaches of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the Union”.
Examples of «data breaches»
There are many types of data breaches. Please find some examples below:
- External persons have access to servers via the Internet containing all customer data due to security breaches in the IT system of the service provider.
- At some point, everyone can access customer accounts online without passwords while only customers with passwords should have access to their respective accounts.
- An employee of a service provider loses a CD-ROM or USB key with customer data.
- A sales agent of a mobile operator in a shop loses a paper contract with a new customer.
What to do in case of a personal data breach?
The provider shall notify the personal data breach to the CNPD no later than 24 hours after the detection of the personal data breach, where feasible. Where all the information set out in Annex I is not available and further investigation of the personal data breach is required, the provider shall be permitted to make an initial notification to the competent national authority no later than 24 hours after the detection of the personal data breach. This initial notification to the competent national authority shall include:
- Date and time of incident (if known; where necessary an estimate can be made), and of detection of incident
- Circumstances of the personal data breach (e.g. loss, theft, copying)
- Nature and content of the personal data concerned
- Technical and organisational measures applied (or to be applied) by the provider to the affected personal data
- Relevant use of other providers (where applicable)
The provider shall make a second notification to the competent national authority as soon as possible, and at the latest within three days following the initial notification. This second notification shall include:
- Summary of the incident that caused the personal data breach (including the physical location of the breach and the storage media involved):
- Number of subscribers or individuals concerned
- Potential consequences and potential adverse effects on subscribers or individuals
- Technical and organisational measures taken by the provider to mitigate potential adverse effects
Possible additional notification to subscribers or individuals
- Content of notification
- Means of communication used
- Number of subscribers or individuals notified
Possible cross-border issues
- Personal data breach involving subscribers or individuals in other Member States
- Notification of other competent national authorities
Where the provider, despite its investigations, is unable to provide all information within the three-day period from the initial notification, the provider shall notify as much information as it disposes within that timeframe and shall submit to the CNPD a reasoned justification for the late notification of the remaining information. The provider shall notify the remaining information to the CNPD and, where necessary, update the information already provided, as soon as possible.
Notification to the subscriber or individual
When the personal data breach is likely to adversely affect the personal data or privacy of a subscriber or individual (for example, where it is likely to result in theft or theft of identity, physical injury, serious humiliation or damage to reputation in connection with the provision of publicly available communications services), the provider shall, in addition to the notification to the CNPD, also notify the subscriber or individual of the breach. The notification to the subscriber or individual shall be expressed in a clear and easily understandable language and include:
- Name of the provider
- Identity and contact details of the data protection officer or other contact point where more information can be obtained
- Summary of the incident that caused the personal data breach
- Estimated date of the incident
- Nature and content of the personal data concerned as referred to in Article 3(2)
- Likely consequences of the personal data breach for the subscriber or individual concerned as referred to in Article 3(2)
- Circumstances of the personal data breach as referred to in Article 3(2)
- Measures taken by the provider to address the personal data breach
- Measures recommended by the provider to mitigate possible adverse effects
Notification of a personal data breach to a subscriber or individual concerned shall not be required if the provider has demonstrated to the satisfaction of the competent national authority that it has implemented appropriate technological protection measures, and that those measures were applied to the data concerned by the security breach. Such technological protection measures shall render the data unintelligible to any person who is not authorised to access it.
Inventory of personal data breaches
According to the Act of 28 July 2011, providers must keep an inventory of personal data breaches, including their context, their effects and the measures taken to remedy them. The data recorded must be sufficient to enable the CNPD to verify them.
In order to facilitate the task for providers of electronic communications services, the National Commission has developed a data breach notification form containing all relevant questions to be answered in such a situation (see bottom of the page).