Data controllers shall notify personal data breaches to the CNPD withing 72 hours after having become aware of them, if the violation in question is is likely to result in a risk to the rights and freedoms of natural persons.
1. What is a personal data breach?
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Data breaches can be categorized according to the three well-known principles of information security:
- Breach of confidentiality: in the event of disclosure or unauthorized or accidental access to personal data;
- Violation of availability: in case of loss /accidental or unauthorized destruction of personal data;
- Violation of integrity: in case of accidental or unauthorized modification of personal data;
Depending on the circumstances, a breach may concern the confidentiality, the integrity and the availability at the same time, as well as any combination of these three principles.
Recital 85 of the GDPR: "A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.”
2. What to do in case of a personal data breach?
The controller shall determine whether the personal data breach presents a risk to the rights and freedoms of the data subjects.
The answers in the notification form can serve as a basis for determining whether the breach poses a risk.
3. When and how to notify the CNPD?
If the data breach results in a risk to the rights and freedoms of individuals, a notification of the breach to the CNPD is required.
The attached form may be used to notify the breach.
The notification must, at least:
- describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
- describe the likely consequences of the personal data breach;
- describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
The notification of the violation shall be sent to the email address databreach@cnpd.lu. You may use the downloadable gpg public key to secure the transmission of information by encrypting it.
4. When and how to notify the individuals concerned by the data breach?
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
The communication to the data subject referred to in paragraph 1 of this Article shall describe in clear and plain language the nature of the personal data breach and contain at least:
- the name and contact details of the data protection officer or other contact point where more information can be obtained;
- a description of the likely consequences of the personal data breach;
- a description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
The means of communication used to contact the data subjects must be effective. There must be a high probability that they receive the necessary information. If necessary, public communication may be required.
5. Keep a data breach register
The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken (including data breaches not notified to the CNPD).
The CNPD may request access to this documentation to verify compliance by the controller or processor with the GDPR.
6. What will the CNPD do after receiving the notification?
As soon as the notification is received, the National Commission will
- Send an electronic acknowledgment of receipt (to the same address that sent it);
- Check the notification and, if necessary, contact the controller to verify the authenticity of the notification;
- Depending on the circumstances, contact the controller in case of questions – including the need to inform the data subjects or not.
The processing of the notification by the National Commission will focus strongly on the management of the incident by the controller and, where appropriate, on the communication to the data subjects.
7. The responsibilities of processors
Data processors are responsible for setting up organizational and technical measures to be able to notify the controller without undue delay after becoming aware of a personal data breach in order for the latter to be able to comply with the 72 hours notification period after the incident is detected.
8. What to do after the data breach?
It is important that the controller implements appropriate technical and organisational protection measures to prevent the same type of data breaches in the future.
9. Confidentiality of the breach
It is not the within the competence of the National Commission to make a data breach public. However, a controller may, by his own decision or at the request of the National Commission, communicate about a data breach in public if it is likely to result in a risk to the rights and freedoms of natural persons and if they cannot be contacted effectively by any other means.