According to Art. 34 Para. 1 GDPR, data subjects only have to be informed about a data protection incident if this results in a high risk for their rights and freedoms. It is therefore necessary to make a prognosis decision as to whether there is a high risk for those affected. However, an assessment is difficult, as the GDPR does not specifically differentiate the criteria according to which the classification under “no risk”, “an average risk” and “a high risk” is measured.
Note that you have to report the data protection incident to the supervisory authority if there is a normal risk! However, the person concerned must only be informed if this incident carries a high risk for the rights and freedoms of the person concerned. In such cases, it is necessary to weigh up the loss of reputation of the company and those affected by providing transparent information.
However, the decision of the supervisory authority cannot be fully understood, which is why the persons concerned did not have to be informed in this case. After all, the payment information of those affected has been disclosed to third parties. As well as e-mail addresses with which the hackers can send malware or phishing e-mails. From our point of view, this is a data protection incident that triggers a reporting obligation both to the supervisory authority and to the persons concerned.
This incident also shows how important IT security is in the company. Deficiencies in IT security can lead to the disclosure of millions of data records.
Our IT security team helps you to identify and ward off risks – for example by setting up an ISMS. Contact us!