Data protection day in Cologne shows: there is still uncertainty when reporting data breaches

The GDPR meets practice. At the data protection day in Cologne on September 24th, 2019, experts discussed concrete implementation experiences with the new regulations. A surprising amount is still open. The point of contention is, in particular, the obligation to report data breaches.

If a company loses personal data and thus makes it available to third parties, it must report the incident to the responsible supervisory authority within 72 hours. However, it is precisely this obligation to report data breaches that is often the greatest element of uncertainty in companies.

It is not yet clear to everyone that these incidents have to be dealt with immediately – even if it causes overtime, said a company spokesman. After all, the board members and managing directors are now sensitized. This has also led to the fear of being made personally financially liable for damage.

It is still unclear which incidents are specifically notifiable. The possibility of reporting is now used very frequently.

One of the main reasons for this are the Trojans that are circulating. Even today, smaller companies in particular have no contingency plans for such a case, despite the daily danger. But if malware has spread on the company server, it is not always automatically a reportable data breach. At the very least, companies should always have professionals and their DPO check whether personal data has actually leaked!

Notification does not exempt from liability

A misconception by companies is that an official report exempts you from liability. In the meantime, supervisory authorities have had significantly more routine and personnel to deal with such reports and sometimes asked unpleasant questions that could then lead to administrative fines.

Much remains open about the fines. Although some companies have now had to pay high fines, there is no indication of how high a penalty is for a violation. “The fact remains that we don’t have a catalog of fines,” explained Maria Christina Rost from the Hessian data protection supervisory authority. Rost was unable to comment on speculations about a supposedly official fine calculator, but assured that it would always remain with the individual examination by the state supervisory authorities.

The decision rests with the responsible body

In this context in particular, we would like to point out that the decision as to whether a data breach is notifiable or not is always a decision by the responsible body. However, the data protection officer advises with his specialist knowledge.

A guide of the Article 29 Data Protection Working Party, the former association of European data protection authorities, from autumn 2017 provides support in answering whether a data breach is notifiable or not. The paper – still up to date at this point – contains examples of processes that can lead to a notification obligation, such as:

  • Theft of login data and purchase history from an international online provider
  • As a result of an online attack, a hospital cannot access health data for 30 hours.
  • Sending personal data of over 5000 students to the wrong mailing list with hundreds of recipients
  • Sending marketing emails on a larger scale. All recipients can be identified.

The Lower Saxony data protection authority went further than these examples, which at the time also used an online form for reporting data protection violations and data breaches to include processes such as the incorrect disposal of personal data on paper, displaying the data of incorrectly affected persons in a customer portal or even the verbal disclosure of personal data has the wrong person.

Theoretically, every loss of smartphones, tablets or laptops as well as USB sticks must be reported. It is assumed that there is personal data on it, for example from customers. The question of whether this also applies when the device or at least the data is encrypted is still unresolved. There are some indications that in this case there is no obligation to report, as there is no relevant risk for those affected. It is still completely open whether the data protection authorities see it that way.

This post is also available in: German