The General Data Protection Regulation is about to come into force on the 28th of May 2018. We are getting a lot of requests for advice and notice that although companies are willing to comply, a lot of new details are generally not known. For example: you become are aware that you had a data breach. Do you tell the person affected? Or do you have the legal obligation to inform your customer?

Yes, when: 

1. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons*, the controller shall communicate the personal data breach to the data subject without undue delay.

And the notification shall describe in clear and plain language the nature of the personal data breach and contain at least the following information and measures:

• communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
• describe the likely consequences of the personal data breach;
• describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

No, when: any of the following conditions are met:

1. the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
2. the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise;
3. it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

* These are (high) risks to the rights and freedoms of natural persons: The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable natural persons, in particular of children, are processed; or where processing involves a large amount of personal data and affects a large number of data subjects.

Are you ready?!

Do contact us if you would like more information on the subject. Business Advice Spain is highly experienced in Data Protection matters. It has helped American companies for the last 15 years establish themselves in Europe.