We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
07 May 2021
On 14 January 2021 the European Data Protection Board (EDPB) published the Guidelines on Examples Regarding Data Breach Notification. These guidelines will help data controllers to decide how to handle personal data breaches and what factors to consider during risk assessments.
Personal data breaches may result in physical, material or non-material damage to individuals – for example:
To protect individuals, the EU General Data Protection Regulation (GDPR) imposes several obligations on data controllers – namely, they must:
To comply with these obligations, data controllers must carry out a risk assessment and decide how to handle each data breach. The EDPB guidelines constitute practice-oriented, case-based guidance that is based on the experience gained by data protection authorities in recent years.
To facilitate the decision-making process, the EDPB has identified certain cases that have occurred frequently in the past. The guidelines contain the following data breach cause classifications:
The EDPB presents information about the following for each cause:
Based on the identified cases, the guidelines not only provide guidance on the handling of data breaches and the implementation of mitigation measures, they also present technical and organisational measures that can help to prevent such breaches.
Binding or non-binding?
The EDPB guidelines are not binding; the EDPB ensures the consistent application of the GDPR. However, the EDPB is composed of the head of one supervisory authority of each EU member state and the European data protection supervisor or their respective representatives. Therefore, the guidelines are based on the actions of national data protection authorities.
Consequences for non-compliance
Data protection authorities may impose fines of up to €20 million or 4% of a company's annual turnover under Articles 83 and 84 of the GDPR. Data subjects may claim compensation under Article 82 of the GDPR. From an EU perspective, it is unclear whether competitors may send cease-and-desist letters. Companies may also face indirect costs (eg, reputational damage or management costs).
The GDPR is highly enforced.
Examples of companies experiencing non-compliance issues
Recently, the Dutch data protection authority imposed a fine of €450,000 on Booking.com.(1) The Irish data protection authority also recently imposed a fine of the same amount on Twitter.(2)
At a minimum, all controllers should:
For further information on this topic please contact Constantin Herfurth at Eversheds Sutherland (Germany) LLP by telephone (+49 89 54565 295) or email (firstname.lastname@example.org). The Eversheds Sutherland (Germany) LLP website can be accessed at www.eversheds-sutherland.com.
(1) For further information please see the Dutch data protection authority website.
(2) For further information please see the EDPB website.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.