Artikkel 34
Communication of a personal data breach to the data subject

Offisielle tekster Retningslinjer
og beslutninger
Vurderinger
EU-regulering
Vurderinger
nasj. regulering
Vis forordningens fortaletekst relatert til art. 34 keyboard_arrow_down Skjul forordningens fortaletekst relatert til art. 34 keyboard_arrow_up

(85) A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned. Therefore, as soon as the controller becomes aware that a personal data breach has occurred, the controller should notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the controller is able to demonstrate, in accordance with the accountability principle, that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where such notification cannot be achieved within 72 hours, the reasons for the delay should accompany the notification and information may be provided in phases without undue further delay.

(87) It should be ascertained whether all appropriate technological protection and organisational measures have been implemented to establish immediately whether a personal data breach has taken place and to inform promptly the supervisory authority and the data subject. The fact that the notification was made without undue delay should be established taking into account in particular the nature and gravity of the personal data breach and its consequences and adverse effects for the data subject. Such notification may result in an intervention of the supervisory authority in accordance with its tasks and powers laid down in this Regulation

Det finnes ingen fortaletekst i direktivet relatert til art. 34.

GDPR

Unlike the notification to the supervisory authority (see Article 33), the final version of the Regulation only requires the controller to notify the data subject of data breaches that are likely to expose individuals to a high risk to their rights and freedoms.

Article 34 also defines the content of the notification to the data subject, which is also very close to the notification under Article 33, to which it is largely referred (see Art. 34 (2)). The final version of the regulation states that the communication must be made in a clear and simple language.

The period is a bit different from the notification to the supervisory authority since article 34 (1) in fine indicates only that it must be done "without undue delay". The idea is that data subjects should without delay take any measures that are necessary to stop or mitigate the negative effects that may arise from the data breach (see recital 85).

Article 34 (3) provides, however, for various exceptions to the notification to the data subjects.

- if the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption (a);

- or if the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialize (b);

- or it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner (c).

Initially, according to the second proposed version of the Regulation, the notification was not necessary if it would create risk to affect an important public interest. This exception that, in our opinion, allowed a too large space for manoeuvring to the controller was, however, removed in the final version of the Regulation.

Ultimately, the final version of the Regulation adds a fourth paragraph to Article 34 granting to the supervisory authority the power to  require the controller to notify the data subjects, taking into account the likelihood for the breach to result in a high risk for them. This provision also recognizes to the supervisory authority the power to evaluate whether the notification to the data subject is necessary, in view of the exceptions provided for in Article 34 (3) of the Regulation.

Direktivet

The Directive did not provide for an obligation of notification in the event of a personal data breach. On the contrary, the system  set up by the Directive 2002/58/EC on privacy and electronic communications, included in Regulation No. 611/2013 on measures relating to the notification of personal data breaches.

Utfordringer

We could hear the difficulties resulting from the question of evaluation of the “high risk” requiring notification in the case of violation of the rights and freedoms of  data subjects.

The difficulty reappears in the assessment of the  exceptions to the notification of such violation. These exceptions – mainly the first and the last ones – are a bit unclear while leaving a too wide a flexibility for assessment to the controller.

In other words, it will be the responsibility of the controller to assess if the communication of a data breach to the data subject is necessary, in view of technological and organizational measures applied and the measures taken later to prevent the materialization of the risk or even if this communication involves disproportionate effort.

However, the final version partially attempts to remedy the negative consequences that could result from the lack of notification to the data subjects since the supervisory authorities have the power to require a notification, as well as the power to assess whether one of the exceptions to the notification duty is met in a particular case, thus replacing the controller without excluding any liability of the latter.

Forordning
1e 2e

Art. 34

1.   When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

2.   The communication to the data subject referred to in paragraph 1 of this Article shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points (b), (c) and (d) of Article 33(3).

3.   The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:

a) the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;

b) the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise;

c) it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

4. If the controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in paragraph 3 are met.

1. forslag close

Art. 32

1.           When the personal data breach is likely to adversely affect the protection of the personal data or privacy of the data subject, the controller shall, after the notification referred to in Article 31, communicate the personal data breach to the data subject without undue delay.

2.           The communication to the data subject referred to in paragraph 1 shall describe the nature of the personal data breach and contain at least the information and the recommendations provided for in points (b) and (c) of Article 31(3).

3.           The communication of a personal data breach to the data subject shall not be required if the controller demonstrates to the satisfaction of the supervisory authority that it has implemented appropriate technological protection measures, and that those measures were applied to the data concerned by the personal data breach. Such technological protection measures shall render the data unintelligible to any person who is not authorised to access it.

4.           Without prejudice to the controller's obligation to communicate the personal data breach to the data subject, if the controller has not already communicated the personal data breach to the data subject of the personal data breach, the supervisory authority, having considered the likely adverse effects of the breach, may require it to do so.

5.           The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements as to the circumstances in which a personal data breach is likely to adversely affect the personal data referred to in paragraph 1.

6.           The Commission may lay down the format of the communication to the data subject referred to in paragraph 1 and the procedures applicable to that communication. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).

2. forslag close

Art. 32

1. When the personal data breach is likely to result in a high risk for the rights and freedoms of individuals, such as discrimination, identity theft or fraud, financial loss, damage to the reputation, unauthorized reversal of  pseudonymisation, loss of confidentiality of data protected by professional secrecy or any other significant economic or social disadvantage, the controller shall (...) communicate the personal data breach to the data subject without undue delay.

2. The communication to the data subject referred to in paragraph 1 shall describe the nature of the personal data breach and contain at least the information and the recommendations provided for in points (b), (e) and (f) of Article 31(3).

3. The communication (...) to the data subject referred to in paragraph 1 shall not be required if:

a. the controller (...)has implemented appropriate technological and  organisational protection measures and those measures were applied to the  data affected by the personal data breach, in particular those that render the

data unintelligible to any person who is not authorised to access it, such as  encryption; or

b. the controller has taken subsequent measures which ensure that the high risk for the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise; or

c. it would involve disproportionate effort, in particular owing to the number of cases involved. In such case, there shall instead be a public  communication or similar measure whereby the data subjects are informed in an equally effective manner; or

d.it would adversely affect a substantial public interest.

4. (...)

5. (...)

6. (…)

Direktiv close

COMMISSION REGULATION (EU) No 611/2013 of 24 June 2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications

Art. 3

1. When the personal data breach is likely to adversely affect the personal data or privacy of a subscriber or individual, the provider shall, in addition to the notification referred to in Article 2, also notify the subscriber or individual of the breach.

2. Whether a personal data breach is likely to adversely affect the personal data or privacy of a subscriber or individual shall be assessed by taking account of, in particular, the following circumstances:

(a) the nature and content of the personal data concerned, in particular where the data concerns financial information, special categories of data referred to in Article 8(1) of Directive 95/46/EC, as well as location data, internet log files, web browsing histories, e-mail data, and itemised call lists;

(b) the likely consequences of the personal data breach for the subscriber or individual concerned, in particular where the breach could result in identity theft or fraud, physical harm, psychological distress, humiliation or damage to reputation; and

(c) the circumstances of the personal data breach, in particular where the data has been stolen or when the provider knows that the data are in the possession of an unauthorised third party.

3. The notification to the subscriber or individual shall be made without undue delay after the detection of the personal data breach, as set out in the third subparagraph of Article 2(2). That shall not be dependent on the notification of the personal data breach to the competent national authority, referred to in Article 2.

4. The provider shall include in its notification to thesubscriber or individual the information set out in Annex II. The notification to the subscriber or individual shall be expressed in a clear and easily understandable language. The provider shall not use the notification as an opportunity to promote or advertise new or additional services.

5. In exceptional circumstances, where the notification to the subscriber or individual may put at risk the proper investigation of the personal data breach, the provider shall be permitted, after having obtained the agreement of the competent national authority, to delay the notification to the subscriber or individual until such time as the competent national authority deems it possible to notify the personal data breach in accordance with this Article.

6. The provider shall notify to the subscriber or individual the personal data breach by means of communication that ensure prompt receipt of information and that are appropriately secured according to the state of the art. The information about the breach shall be dedicated to the breach and not associated with information about another topic.

7. Where the provider having a direct contractual relationship with the end user, despite having made reasonable efforts, is unable to identify within the timeframe referred to in paragraph 3 all individuals who are likely to be adversely affected by the personal data breach, the provider may notify those individuals through advertisements in major national or regional media, in the relevant Member States, within that time frame. These advertisements shall contain the information set out in Annex II, where necessary in a condensed form. In that case, the provider shall continue to make all reasonable efforts to identify those individuals and to notify to them the information set out in Annex II as soon as possible.

 

 

Art. 34

Underretning av den registrerte om brudd på personopplysningssikkerheten

1. Dersom det er sannsynlig at bruddet på personopplysningssikkerheten vil medføre en høy risiko for fysiske personers rettigheter og friheter, skal den behandlingsansvarlige uten ugrunnet opphold underrette den registrerte om bruddet.

2. Underretningen til den registrerte nevnt i nr. 1 i denne artikkel skal inneholde en klar og tydelig beskrivelse av arten av bruddet på personopplysningssikkerheten og minst informasjonen og tiltakene nevnt i artikkel 33 nr. 3 bokstav b), c) og d).

3. Underretningen til den registrerte nevnt i nr. 1 er ikke påkrevd dersom noen av følgende vilkår er oppfylt:

a) den behandlingsansvarlige har gjennomført egnede tekniske og organisatoriske sikkerhetstiltak, og disse tiltakene er blitt anvendt på personopplysningene som er berørt av bruddet på personopplysningssikkerheten, særlig tiltak som gjør personopplysningene uleselige for enhver person som ikke har autorisert tilgang til dem, f.eks. kryptering,

b) den behandlingsansvarlige har truffet etterfølgende tiltak som sikrer at det ikke lenger er sannsynlig at den høye risikoen for de registrertes rettigheter og friheter nevnt i nr. 1 vil oppstå,

c) det vil innebære en uforholdsmessig stor innsats. Dersom dette er tilfellet, skal allmennheten isteden underrettes, eller det skal treffes et lignende tiltak som sikrer at de registrerte underrettes på en like effektiv måte.

4. Dersom den behandlingsansvarlige ikke allerede har underrettet den registrerte om bruddet på personopplysningssikkerheten, kan tilsynsmyndigheten, etter å ha vurdert sannsynligheten for at bruddet vil medføre en høy risiko, kreve at den behandlingsansvarlige gjør dette, eller beslutte at ett eller flere av vilkårene nevnt i nr. 3 er oppfylt.

Gamle loven close

Ikke plikt til å gi melding til datasubjektet som er berørt, men kan bli pålagt av Datatilsynet til å gi slik informasjon.

See art. 33 for varsling til Datatilsynet.

close