Notification of the Supervisory Authority in case the personal data security system has been compromised is an important step in preparation for the implementation of the General Data Protection Regulation (GDPR). The document will apply to all states of the European Union on 25 May 2018.

If the technical and organizational measures have failed and the data security has been compromised, the operator has an obligation to ensure that the effects and damage produced are as low as possible. For this reason, the GDPR requires operators to notify the Surveillance Authority whether a personal data breach is breached without undue delay and, if possible, within 72 hours of the date it became aware of This one.

Also, if the breach of personal data security is likely to generate a high risk for the rights and freedoms of individuals, the operator shall inform the data subject without undue delay of the breach. Although the official translation into Romanian of the GDPR is flawed, it is clear from the English version that the notification obligation does not exist if the violation is not likely to create a risk to the rights and freedoms of individuals.

What are the issues we need to be careful about?

If the notification does not take place within 72 hours, in order to determine whether the notification was made with an undue delay, the Supervisory Authority shall, in particular, take into account the nature and gravity of the breach of personal data security, as well as the consequences and effects negative effects on the target person.

Also, as the notification period runs from the date when the operator has knowledge of the infringement, very many factual issues will be taken into account to determine the moment, such as: when informed about a potential violation, by what methods, by whom (for example: media, employees, third parties, etc.), what concrete steps it has taken to verify the information, how quickly it acted and how complicated it was to establish security breach.