Data breaches involve a serious danger to the rights and freedoms of the affected data subjects. Controllers are expected to notify them to supervisory authorities and data subjects as soon as possible. Furthermore, if the data breach were likely result in a high risk, the affected data subjects should be informed personally and without undue delay. The notification should describe the details of the data breach, the control measures already taken, and recommendations for the effected data subjects to control damage. Contacting all users might be impossible in practice. Therefore, a public communication – if effective – can be considered sufficient. All communication towards data subjects should be transparent and in clear and plain language.[1]
| Checklist: Data Breaches
Controllers have implemented adequate policies to notify data breaches as soon as possible and all participants in the development process are well aware of them. Templates about the information to be included in the notifications have been designed. Communication policies and tools, aimed at facilitating communcation with the data subjects if a data breach happens, have been created. |
References
1JRC Technical Reports, Guidelines for public administrations on location privacy, at: https://publications.jrc.ec.europa.eu/repository/handle/JRC103110 ↑