Living. Data.

Veri ihlali mi? Haberiniz olduğu an, her saat önemlidir!

The classics of a data protection breach are the sending of a confidential email containing personal data to the wrong recipient or the loss of an unencrypted USB stick containing sensitive data.


  ; When a data protection breach first occurs, the wrong recipient will likely quickly point out that something is wrong here. From this point on, the 72-hour reporting period begins, since such events are usually referred to in Art. 33 GDPR - even if the wrong recipient assures that they deleted the post immediately and didn't read the content completely responsible party, this must notify the data subject depending on the competent supervisory authority and the content of the mail.

  The later a data protection breach occurs after it occurs, the harder it is to resolve. But does that mean there is a risk of fines if the responsible party automatically exceeds the reporting deadline? No.

  Ultimately, Article 33 (1) (1) of the GDPR states: "In the event of a personal data breach, the controller shall not suffer undue delay and, if possible, the personal data breach within 72 hours at the latest after becoming aware of it. .. ".

  This means that, as is often the case, a particular incident is decisive for when the clock starts ticking for a reportable event. If there is only vague suspicion at first, this should be investigated immediately, but cannot be reported at that point. However, as soon as there is "reasonably certainty" a data breach, it should also be reported to the data subject, depending on the responsible supervisor and level of difficulty.

  In case the recovered USB stick is lost, the reporting period begins as soon as the event becomes known by the responsible party. However, this only applies if the data is not sufficiently encrypted. If the data is encrypted, the event does not need to be reported.

  Thus, the problem with the strict reporting deadline is not the time of the incident, but when the responsible party will become aware of it. At present, there is no uniform regulation by supervisory authorities regarding when the responsible person can be deemed to have knowledge of a data protection event. Does this person need to have personal information about the event? Or is it enough for the reporting deadline to begin for anyone in the company to become aware of the incident?

  Judging by the statements of data protection supervisors to date, we must firmly assume that it is not personal information that matters, but the fact that certain functional units or function owners are aware of an event. A binding statement regarding the start of the deadline for data protection events is not yet possible.

  In conclusion: In the event of a data breach, only sufficient sensitivity of all employees and comprehensive risk awareness in the company can protect against unintended consequences.