Dear Madam or Sir,
First of all we would like to express our sincere thanks for the opportunity to provide comments on the Article 29 Working Party’s proposed “Guidelines on Personal Data Breach Notification” (hereinafter “the Guidelines”). Spolek pro ochranu osobních údajů (Data Protection Association) is the largest organization bringing together professionals in the area of personal data protection and future personal data protection officers in the Czech Republic. We are grateful to have been given the opportunity to review the Guidelines. However, we would like to respectfully submit some additional and refinements to the proposals on the Guidelines.
We have considered especially the following issues:
- Assessment of temporary unavailability of data as data breach
- Controller’s awareness of a data breach
- Notifications to the Lead Supervisory Authority
- Disclosure of data breach notifications
- Very broadly defined notification obligation
Temporary unavailability of data as data breach
On page 7 of the Guidelines, the WP29 states that an incident resulting in personal data being made unavailable for a period of time is a security breach. We do not believe that this approach is consistent with the definition of personal data breach according Art. 4 point 12 of GDPR, where only loss of personal data is mentioned. We understand that even temporary unavailability of data can have significant consequences for data subjects, but only in a limited number of specific situations. Any extension of the impact of definitions beyond the explicit legal text should therefore be carefully considered and limited to the extent to which it is strictly necessary.
Controller’s awareness of a data breach
We would like to clarify the time from which the controller could be considered as becoming aware of data breach. Especially in larger organizations it would be inappropriate to consider awareness of a single employee as awareness of the whole organization. We would rather suggest to emphasize that awareness of the controller begins at the moment when the responsible employee or employee, who on account of his position (lawyer, member of IT department, all managers) is able to assess the importance of the particular situation, is informed. However, a prerequisite for such an approach should be that the controller has a functional breach notification system in place as emphasized in Section II.A. of the Guidelines.
Further on page 11 the WP29 states that: the controller should be considered as “aware” once the processor has become aware. We respectfully disagree with this opinion. The processor’s awareness of the breach cannot equate to the controller’s awareness even if the controller is, according to GDPR, responsible for the processor. We would rather suggest to construct the moment of controllers awareness in the way, that the controller is aware at the latest in moment when he/she should have been informed about data breach from his/her processor complying with the obligation of processor according Art. 33/2 GDPR. That means there are two options:
a) if the processor duly fulfills its obligations, the controller should be considered as aware in the moment when he/she gets the relevant information from the processor
b) if the processor fails to inform the controller, the controller should be considered as aware in the moment when he/she would get the relevant information from the processor if the processor has fulfilled duly his obligation according Art. 33/2.
…Read the whole text
Notification to the Lead Supervisory Authority
We see a certain discrepancy between the text of the Guidelines on page 15 and the flowchart on page 26. The guidelines on page 15 provides that in cases where a breach affects the personal data of individuals in more than one Member State, the controller shall notify the lead supervisory authority (even if the controller may wish to proactively voluntarily report an incident to a supervisory authority which is not its lead authority). On the other hand in the flowchart on page 26 it is stated that if the breach affects individuals in more than one Member State, the controller should notify each competent supervisory authority. We would suggest unifying both parts.
Disclosure of data breach notifications
We would recommend emphasizing in the Guidelines that supervisory authorities should deal with the information about data breach provided by a controller very carefully and keep such information confidential where necessary. Especially in situations when an internal investigation of the controller is still ongoing, the publishing or leak of information about a data breach could negatively affect the rights of data subjects, because it could limit the controller’s ability to ascertain the cause of the data breach and to find the culprit of the data breach. Of course the legal obligation to inform data subjects would not be affected.
Very broadly defined notification obligation
We believe that the personal data breach notification obligation is defined too broadly. On page 15 the Guidelines refer to Opinion 03/2014 on breach notification and provide an example of encrypted data with a state of the art algorithm to also be subject to notification. Such opinion will in practice mean that every single loss of an encrypted working telephone will have to be notified even though the key is intact and personal data are unintelligible.
This approach will generate need for numerous notifications and bring a heavy burden on the controller ́s side as well as on the Authority’s side.
We are really grateful for the opportunity to provide the above mentioned comments on the Guidelines.
JUDr. Vladan Rámiš, Ph.D.
Chairman of the Committee
Ing. Václav Mach
Vice Chairman of the Committee