According to the GDPR, data controllers are required to notify their competent supervisory authority in case of a personal data breach.1 Notification must be made within 72 hours of the controller becoming aware of the breach. Within this relatively slim time period, it is up to the controller to figure out how to manage the breach, assess the risks posed to the individuals affected, and determine whether and how the supervisory authority should be notified. With this blog post, we hope to answer some common questions about data breach notifications to supervisory authorities. This will help you create an effective data breach response plan, enhancing your GDPR compliance and putting any notification worries at ease! Note! This blog post will not contain information about the notification to data subjects.
Published December 18th 2023
In which cases are we required to notify a data breach to a supervisory authority?
Since the notification requirement applies to personal data breaches we will shortly describe what to interpret as such. Security incidents that do not involve personal data are not covered by the GDPR. The GDPR defines “personal data breach” in Article 4(12). Put simply, any unplanned or unauthorized processing of personal data constitutes a personal data breach. For further explanation of how to recognise a personal data breach, see the European Data Protection Board (EDPB) ’s Guidelines 9/2022 on personal data breach notification under GDPR, pages 7–9.
You are not required to notify the supervisory authority of personal data breaches that are “unlikely to result in a risk to the rights and freedoms of natural persons”, Article 33(1) GDPR. This means that you have to assess the possible consequences of the breach for the individuals whose data have been affected. Some examples of adverse consequences are discrimination, identity theft or fraud, financial loss, damage to reputation and unauthorized reversal of pseudonymization.2 If the data breach is unlikely to result in a risk of such effects taking place, then you are not required to notify the supervisory authority. However, this is a low threshold. No adverse consequence needs to have actually taken place – as soon as it is not unlikely that the breach leads to a risk of adverse consequence, the notification requirement kicks in. You can find more information on when a data breach must be reported in our previous blog post!
If you are acting as a data processor, you are obligated to report all personal data breaches to your controller, Article 33(2) GDPR. It is then the controller who must decide whether the breach must be reported to the competent supervisory authority. For a clarification on the roles of data controller and data processor, read our previous blog post here.
It should be noted that failure to report a breach when required may result in a administrative fine, Article 83 GDPR.
How do we know which supervisory authority to notify?
Each Member State of the EU has a supervisory authority (in Germany there is one per federal state) . The EEA Member States Iceland, Liechtenstein and Norway are also party to the GDPR, and have their own supervisory authorities. The GDPR has a system for deciding which supervisory authority is competent to handle a particular matter concerning personal data processing.
How to determine the competent supervisory authority depends on how many establishments your organisation has within the EU/EEA, and on whether you carry out cross-border processing of personal data.
If your organisation has one single establishment in the EU/EEA, then the competent supervisory authority is the one in the Member State where your establishment is located, Article 55 GDPR. This applies even if your data processing substantially affects data subjects in another Member State (a form of cross-border processing).3
If your organisation has more than one establishment in the EU/EEA, you have to examine whether the breach affected data involved in cross-border processing. Cross-border processing occurs when processing takes place in the context of the activities of establishments in more than one Member State.4 For example, a company established in Sweden and Denmark, which processes personal data at both establishments, is carrying out cross-border data processing. In this case, the “One Stop Shop” principle of the GDPR kicks in, Article 56 GDPR. This means that you only have to report the breach to your lead supervisory authority, rather than the authorities of all the Member States affected.
To identify your lead supervisory authority, you need to identify your “main establishment” in the EU/EEA. As a rule, your central administration will be your main establishment. However, if decisions on the purpose and means of personal data processing are taken at another establishment, this other establishment will be considered your main establishment. The aim is to identify where the effective and real exercise of management activities related to data processing take place. Some useful factors to consider are:5
- Where are decisions about the purposes and means of the processing given final ‘sign off’?
- Where are decisions about business activities that involve data processing made?
- Where does the power to have decisions implemented effectively lie?
- Where is the Director (or Directors) with overall management responsibility for the cross-border processing located?
- Where is the controller or processor registered as a company, if in a single territory?
If you have more than one establishment in the EU/EEA, but only process personal data in the context of the activities of one of them, then Article 55 GDPR applies, and the competent supervisory authority is the one in the Member State where the data processing takes place.
Finally, if your organization has no establishment in the EU/EEA, the One Stop Shop principle does not apply. This means that you must notify supervisory authorities in every Member State you are active in, through your EU representative.6
How do we notify the supervisory authority?
Each supervisory authority has a chosen method of notification. Some use online forms. Others provide forms that are to be downloaded, filled out and then sent by e-mail or post. Information on how to make a notification can be found on each supervisory authority’s website. The EDPB has compiled a list of the EU/EEA supervisory authorities here. In Germany’s case, there is a supervisory authority for each federal state (“Bundesland”), you can find them listed here.
Note that not all supervisory authorities have information on their notification procedure available in English! It is therefore important to have a data breach response plan worked out before any incident occurs, so that you do not have to spend precious time hunting down procedure instructions once your 72-hour deadline has started ticking.
Do we have to keep an internal record of the data breach?
Yes! According to Article 33(5), controllers must document all personal data breaches. This applies regardless of whether you are required to notify the competent supervisory authority. The obligation to document data breaches is linked to the accountability principle in Article 5(2) GDPR and is part of the controller’s obligations under Article 24 GDPR. This means that the supervisory authority can request access to these records.
It is up to you to decide what method and structure to use when documenting the breach. However, the following key elements need to be included:7
- The causes of the breach,
- A description of what took place,
- A description of the personal data affected by the breach,
- The effects and consequences of the breach, and
- A description of the action you have taken to remedy the breach.
The EDPB recommends that the controller also document its reasoning for the decisions taken in response to a breach.8 In particular, if a breach is not notified to the supervisory authority, a justification for that decision should be documented. You should describe the reasons why you consider the breach unlikely to result in a risk to the rights and freedoms of individuals.
What are the benefits of a documented data breach response plan?
There are quite a few steps to complete when a personal data breach occurs. Therefore, the EDPB recommends having a documented incident response plan inplace.9The response plan should set out the process to follow once a breach has been detected, including:
- how to contain, manage and recover the breach,
- how to assess the risk to individuals, and thereby determine whether it is necessary to notify the competent supervisory authority,
- how to notify the supervisory authority, and
- how to make an internal record of the breach.
To show compliance with the GDPR, it might also be useful to demonstrate that employees have been informed about the existence of the response plan and that they know how to react to breaches.
Summary: steps to take in case of a personal data breach
- Assess the possible adverse consequences of the personal data breach – is there a risk to the rights and freedoms of natural persons? If your answer is yes, you are required to notify the breach to the competent supervisory authority
- Identify your competent supervisory authority: (i) Are you established in more than one EEA Member State? (ii) Did the breach occur in relation to cross-border data processing? If yes, your lead supervisory authority is the competent supervisory authority.
- Notify the competent supervisory authority of the personal data breach, using the authority’s preferred notification method.
- Make an internal record of the personal data breach.
Notifying a supervisory authority of a personal data breach may seem like a daunting task, but it has several benefits. For example, you can obtain advice from the supervisory authority on whether the individuals affected by the data breach need to be informed. Try to see breach notification as a tool to enhance compliance with the GDPR and to help protect personal data!
If you have further questions or are interested in improving your own work with the GDPR, then you are more than welcome to contact us!
In our digital GDPR tool you can find an efficient solution on how to document and keep record of data breaches.
- Article 33(1) GDPR.
- For further examples, see Recitals (75) and (85) GDPR.
- Article 56 GDPR. As you have only one establishment, it is by logic your main establishment.
- Article 4(23) GDPR.
- EDPB guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority, p. 8.
- EDPB guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority, p. 12.
- Article 33(5) GDPR and EDPB guidelines 9/2022 on personal data breach notification under GDPR, p. 26.
- EDPB guidelines 9/2022 on personal data breach notification under GDPR, p. 27.
- EDPB guidelines 9/2022 on personal data breach notification under GDPR, p. 27.