In a previous article we explained that the General Data Protection Regulation (GDPR) of the European Union sets out obligations for controllers on keeping records of processing activities. In this article, we describe the controller’s additional obligation for keeping records of personal data breaches.
A personal data breach means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. A personal data breach, for example, is when masses of emails are sent out without using BCC or if an employee unlawfully takes possession of some data stock of the employer (e.g. client list, price list).
Records of personal data breaches are documents kept by controllers that record any personal data breaches as well as all related facts, data and circumstances in order to prove compliance with the GDPR (accountability principle). The records of personal data breaches may also include the documents used to support the justification of the controller’s decisions in connection with the personal data breaches.
The records of personal data breaches not only include personal data breaches reported to the National Authority for Data Protection and Freedom of Information (hereinafter: the NAIH)
Preamble 85 of the GDPR states that a personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.
Consequently, the controller shall notify the NAIH about the personal data breach without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the controller is able to demonstrate, in accordance with the accountability principle, that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons (Article 33 of the GDPR).
The records of personal data breaches implicitly include the personal data breaches subject to this supervisory reporting, while the controller shall also record any personal data breaches that are not subject to such reporting.
Content requirements on keeping records of personal data breaches
The GDPR defines the minimum content requirements for keeping records of personal data breaches, according to which the controller must keep records of the facts related to the breaches (in particular, the date, nature and circumstances of the personal data breach as well as those affected and the nature of the data affected). Additionally, the impacts and consequences of the personal data breaches as well as the measures taken to remedy them have to be recorded.
In the records of personal data breaches it is recommended to note the date of becoming aware of the personal data breach and the date such was reported to the NAIH. It is also justified to record which facts and circumstances served as the basis for the controller’s decisions made in connection with the personal data breach.
Formal requirements on keeping records of personal data breaches
Records of personal data breaches shall be kept in writing, either on paper or in electronic format (e.g. xls file). There are no requirements in the GDPR about the language used for records of personal data breaches. If there are no special circumstances justifying keeping records in a foreign language, it is recommended to keep the records in Hungarian. It is also best to indicate in the records the documents related to the personal data breach and its reporting to the supervisory authority, and where such documents are available (e.g. risk analysis, reporting of breach and other related declarations).
A controller may receive an administrative fine if it fails to comply with its obligations related to maintaining records of personal data breaches – which means it does not or does not properly keep the records, or refuses to hand such over to the supervisory authority upon request.
If you are interested in checking whether your company’s data management practices meet the GDPR requirements, please contact us and we will review your current practices in a data protection due diligence.