The GDPR stipulates the timeframes for notifying supervisory authorities and data subjects in the event of a personal data breach, as well as the requirements regarding the details that are necessary to be provided in such circumstances. Organisations should assess and ensure that the mechanisms in place enable accurate and timely responses in accordance with the GDPR, and Cyprus law.
In accordance with Article 33 (Notification of a personal data breach to the supervisory authority) of the EU General Data Protection Regulation (“GDPR”), inter alia, in the case of a personal data breach, the Controller should without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the [national] supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it should be accompanied by reasons for the delay.
Furthermore, the Processor should notify the Controller without undue delay after becoming aware of a personal data breach..
Therefore, organisations should, among other things, implement:
Specifically, the relevant personal data breach Notification should, at least:
Data subject notices must also comply with the data subject communication requirements in Article 12 of the GDPR.
It is noteworthy that where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
Importantly, the Controller should document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. Such documentation should enable the supervisory authority to verify compliance with the GDPR.
Moreover, in accordance with Section 12 (Derogation in relation to the communication of a data breach) of the Cyprus Law providing for the protection of natural persons with regard to the processing of personal data and for the free movement of such data (Law 125(I)/2018) (“Law”), inter alia, a Controller may be exempt from the obligation to communicate a personal data breach to the data subject, wholly or partly, for one or more of the purposes referred to in Article 23 of the GDPR. Once again, the aforesaid exemption to the obligation to communicate a personal data breach requires carrying out an impact assessment and prior consultation with the Commissioner. The Commissioner may impose to the controller terms and conditions for the aforesaid exemption.
Our firm helps SMEs and large organisations in a wide range of sectors to comply with the EU General Data Protection Regulation, national legislation, and the relevant guidelines of the European Data Protection Board and the local Commissioner for Personal Data Protection. Our associates focus on technology and cybersecurity aspects to cover all angles of the necessary exercise, in line with the rapid shifts in technological disruption.
We advise on the appropriate safeguards that must be implemented in the Digital Age, particularly considering the substantial risks and potential consequences involved. We provide an integrated approach to securely protect our clients.
Please do not hesitate to contact us if you require further information or support on such matters.