Data Breach Policy
This document outlines the regulations of the European General Data Protection Regulation (GDPR) regarding personal data breaches (referred to as "Data breach") and Agile's procedure for such events.
The procedure is applicable and binding for all employees, consultants, collaborators of Agile, as well as for suppliers of specific services.
For further information on monitoring and response to potential events that jeopardize information security, please refer to the Incident Security Policy.
If you can't find the form of internal data breach notice on the Compliance Sharepoint, plase contact the soonest the Compliance team (compliance@agilelab.it).
GDPR and Data Breach
Articles 33 and 34 of the GDPR require the data controller, in the event of a "personal data breach," to:
Notify the supervisory authority (Article 33). Communicate the breach to the data subjects (Article 34). The term "personal data breach" is defined in Article 4, Point 12, as a "breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed."
Therefore, a breach occurs when:
- Data no longer exists or is no longer in a form that is of any use to the data controller.
- Data has been modified or altered.
- The data controller no longer has access to or control over the data.
- Data has been disclosed to unauthorized recipients.
Consequently, a breach may involve:
- Confidentiality: In the case of data disclosure or unauthorized access.
- Integrity: In the case of unauthorized data modification.
- Availability: In the case of data loss or unauthorized access/destruction.
- Regarding the latter type of breaches, it is important to note that even a temporary loss of data availability constitutes a data breach scenario.
Risk to the rights and freedoms of individuals
The occurrence of a data breach does not necessarily trigger the obligation to notify. It is necessary for the breach to potentially impact the exercise of rights and freedoms of the data subjects.
Notification to the supervisory authority or data subjects is not required "if it is unlikely to result in a risk to the rights and freedoms of individuals" or "if it is unlikely to pose a high risk to the rights and freedoms of individuals."
The data controller must objectively assess the risk, taking into account the following criteria:
Potential harm that the breach may cause (e.g., damage to reputation, identity theft, economic loss). Currency of the data. Types of data involved. Certain types of data receive greater protection under the GDPR, such as judicial data, health data, and financial data. Volume of data involved (the number of data subjects affected by the breach). Type of breach (e.g., unauthorized access, theft, data destruction, loss). Ability to identify the data subjects affected by the breach. Special characteristics of the data subjects. Certain individuals, such as vulnerable individuals (e.g., minors, disabled persons, elderly, mentally ill, asylum seekers), receive special protection within the GDPR. Even if the data controller believes that the conditions for notification are not met, according to Article 33(5), they are still required to document all breaches. To do so, the data controller must maintain an updated inventory of breaches that clearly shows:
- When the breaches occurred.
- The resulting consequences.
- Measures taken to address the breaches, demonstrating responsible handling in accordance with Article 32 regarding security measures.
- Other exemption grounds for notifying data subjects
Article 34 provides additional circumstances under which communication to data subjects is not required. These include cases where:
"The data controller has implemented appropriate technical and organizational protection measures, such as encryption or pseudonymization, rendering the data unintelligible to any unauthorized persons." "Subsequent measures have been taken by the data controller to ensure that the high risk to the rights and freedoms of individuals is no longer likely to materialize." "Notifying the data subjects would involve a disproportionate effort, such as in cases where the data has been lost or has not been disclosed." Notification to the Supervisory Authority The data controller must notify the supervisory authority of the breach "without undue delay and, where feasible, not later than 72 hours after becoming aware of it" (Article 33).
First, it is necessary to determine the moment when the data controller becomes aware of the breach. The notification period begins from that moment.
The Article 29 Working Party Guidelines emphasize that "the data controller should be regarded as aware from the time when it is reasonably certain that a security incident has occurred that has led to the compromise of personal data." In some cases, the breach may be clear, while in others, time may be needed to ascertain it.
The document also emphasizes the prompt response of the data controller and the need to adopt measures that promptly detect possible breaches. Therefore, if the data controller claims ignorance of the breach as an excuse for non-notification, it must have implemented appropriate technical measures (e.g., data flow monitoring, log analyzers) and organizational measures to promptly become aware of the breach.
If the data controller receives information about the breach from other parties, they have the opportunity to conduct investigations to determine whether the breach should be notified or if remedial action can be taken to avoid harm to the rights and freedoms of data subjects. However, the notification period always begins from the moment of communication.
Notification deadline
The standard deadline for notification is 72 hours from the data controller's awareness of the breach. However, Article 33 allows the data controller to notify beyond the 72-hour deadline, but they must provide a justified explanation for the delay along with the notification.
Content of the notification
The notification should include the following information:
Description of the nature of the personal data breach, including, if possible, the categories and approximate number of data subjects involved, as well as the categories and approximate number of personal data records affected. Name and contact details of the data protection officer or another contact point for obtaining further information. Description of the likely consequences of the personal data breach. Description of the measures taken or proposed to be taken by the data controller to address the personal data breach and, if applicable, mitigate its potential negative effects. Considering the primary purpose of the regulation, which is to limit the negative effects of a breach, if the data controller does not have all the necessary information, they may make a phased notification. In the initial communication to the supervisory authority, they can provide the information they have at that time and subsequently supplement it with additional information in a subsequent notification, even if it is beyond the deadline, provided that the reasons for the delay are also communicated.
In this case, the data protection authority will collaborate with the data controller to establish the methods and timing for providing supplementary information.
Communication to Data Subjects In addition to notifying the supervisory authority, the data controller is also required to communicate the breach to individuals whose rights and freedoms may have been affected, in order to provide them with guidance on measures they can take to protect themselves.
Content of the communication
The communication must be made "without undue delay" and must include:
A description of the nature of the breach. Name and contact details of the data protection officer or another contact point. A description of the likely consequences of the breach. A description of the measures taken or proposed to be taken by the data controller to address the breach and, if applicable, mitigate its potential negative effects. The primary function of this communication is to provide support to data subjects in order to prevent or minimize the potential harm they may suffer, relying on the guidance provided by the supervisory authority to the data controller.
The direct communication to data subjects should be made through a separate message that does not contain additional information.
Only in cases where communication would require disproportionate effort can the data controller resort to public communication, such as posting a notice on their website.
Relationship between the Data Controller and Data Processor Each data processor plays a fundamental role in enabling the data controller to comply with the provisions of the GDPR. The data processor must promptly inform the data controller in the event of a breach of the data they hold, allowing the data controller to fulfill their obligations within the specified timeframe.
Sanctions for Non-Compliance
Failure to notify the supervisory authority or communicate the breach to data subjects may result in two types of measures:
Corrective measures under Article 58(2) (e.g., imposing a temporary or definitive limitation on data processing, ordering communication to data subjects). Administrative fines of up to 10 million euros or up to 2% of the global annual turnover. Administrative fines can be imposed together with the measures under Article 58(2) or independently.
Sanctions for Non-Compliance
Data breaches are promptly recorded on the GDPR Registers by Compliance Team.