Skip to content

In the event of a data breach, the GDPR provides for notification to the competent supervisory authority. According to Art. 33 GDPR, this must be done if the breach leads to a risk for the data subjects. In the event of a high risk, a notification must also be made to the data subject in accordance with Art. 34 GDPR. Guidelines from February 2018 exist for handling such cases, but they did not clarify certain issues. Therefore, efforts were made to develop new guidelines for data breach notifications.

On 18 January 2021, the European Data Protection Authority (EDPB) published the draft of the new Guidelines 01/2021 on Examples regarding Data Breach Notification. The guidelines are open for public consultation for a period of six weeks. Comments will be accepted until 2 March 2021.

The guidelines deal with the most common examples of use. These include a total of 18 examples, which are divided according to the different types of attacks. These include examples such as ransomware attacks, data exfiltration attacks, and lost or stolen devices and paper documents. For each case category, the guidelines present the most typical “good or bad practices”. The guidelines also provide information on how risks should be identified and assessed. They highlight the factors that should be given special consideration. They also provide information on the cases in which the controller should notify the supervisory authority and/or the data subjects.