Personal Data Breaches Notification

Have you ever sent an email to the incorrect email address or received postal mail which was not addressed to you?  I think the answer is: who hasn’t. Often an email or postal mail contains personal data such as name, surname, address, mobile number and any other identifiable data and if this personal data is divulged to the incorrect recipient, it is considered as a personal data breach.

By means of introduction, the Information Commissioner’s office (ICO) defines personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.” A breach could be a result of a malicious attempt or also an accident.

Earlier this year in January, the European Data Protection Board (EDPB) published guidelines (Guidelines 01/2021) containing practical cases of personal data breaches. For each of the different potential breaches the guidelines provide technical and organisational measures that could prevent the eventual breaches as well as mitigation measures to diminish the impact on the data subjects post-breach. The guidelines continue to outline the obligations of the data controller in case of a personal data breach and the notification procedure depending on the severity of the breach. The guidelines provide various case studies on a variety of potential data breaches such as ransomware, data exfiltration attacks, internal human risk source, lost or stolen devices and paper documents, misdelivery and other cases such as identity theft.

Notification in case of data breach could be either to the supervisory authority, which in the local scenario would the Information Data Protection Commissioner (IDPC) or the data subjects themselves depending on the gravity of the breach. Article 33 (1) of the GDPR states that the controller is required to inform the supervisory authority within seventy-two (72) hours of coming to know about a breach. The communication to data subjects is regulated in Article 34 (1) of the GDPR. This article states the controller is to communicate to the effected data subjects where the breach results in a high-risk to their rights and freedoms. Moreover, in all situations the guidelines instruct data controllers to document the personal breach in a data breach register.

While the guidelines provide a practical understanding of Article 33 and 34 of the GDPR, it is imperative that each personal data breach is considered in its entirety and a case-by-case assessment is conducted to ensure the best course of action.


You can access these Guidelines from here.

How can RSM help?

We have a diverse and experienced team that can assist you with meeting your GDPR obligations. We address your requirements holistically taking into consideration technology tools, knowledge and resources. Our experienced team can help you in any of the following:

  • Drafting or reviewing relevant data protection documents, policies or notices tailored to the nature and size of your business;
  • Carrying out a GDPR Gap assessment to assist with the identification of risks and gaps in operational controls;
  • An independent GPDR audit;
  • Outsourced DPO services and/or DPO support services
  • GDPR training.

If you would like to find out more please contact Vladimiro Comodini, Partner ([email protected]) or Marion Borg Muscat, Lead Consultant ([email protected]).