GDPR Compliance - notification of data breachIs it possible for non-EU companies to avoid GDPR regulatory issues through filters and firewalls?GDPR and logging which user accessed which personal informationHow to satisfy GDPR's consent requirement for IP logging?GDPR privacy policy - Data controller vs Data processor“Right of access by the data subject” if the IP address is the only personal dataGDPR - am I a data controller as an app owner if I do not have access to the data?GDPR and personal data that gets crawled and ends up on other websitesResponsible GDPR data protection authority (DPA) responsible for non-EU companies?Cause of action for data processor where the data controller neglects to notify supervisory authorityIs a public IP address classified as “personal data” for a third party under EU law?
Word for soundtrack music which is part of the action of the movie
Planting Trees in Outer Space
Why would an invisible personal shield be necessary?
How to remove rebar passing through an inaccessible pipe
Were there any unmanned expeditions to the moon that returned to Earth prior to Apollo?
Why was the Lobbying Transparency and Accountability Act of 2006 deemed too weak?
Applications of pure mathematics in operations research
LWC: Removing a class name on scroll
How does Asimov's second law deal with contradictory orders from different people?
How to innovate in OR
How and why does the ATR-72 sometimes use reverse thrust to push back from the gate?
Scam? Checks via Email
Should I intervene when a colleague in a different department makes students run laps as part of their grade?
Password management for kids - what's a good way to start?
Should I put my name first or last in the team members list?
integration of absolute value
What is the range of a Drunken Monk's Redirect attack?
In the Schrödinger equation, can I have a Hamiltonian without a kinetic term?
Gold Battle KoTH
How do discovery writers hibernate?
How to calculate points under the curve?
Using Python in a Bash Script
Adding a (stair/baby) gate without facing walls
Why does Latex make a small adjustment when I change section color
GDPR Compliance - notification of data breach
Is it possible for non-EU companies to avoid GDPR regulatory issues through filters and firewalls?GDPR and logging which user accessed which personal informationHow to satisfy GDPR's consent requirement for IP logging?GDPR privacy policy - Data controller vs Data processor“Right of access by the data subject” if the IP address is the only personal dataGDPR - am I a data controller as an app owner if I do not have access to the data?GDPR and personal data that gets crawled and ends up on other websitesResponsible GDPR data protection authority (DPA) responsible for non-EU companies?Cause of action for data processor where the data controller neglects to notify supervisory authorityIs a public IP address classified as “personal data” for a third party under EU law?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
In Art. 33, the GDPR specifies that a controller must notify a personal data breach to the supervisory authority after having become aware of it.
Case 1: A database dump with personal data is hosted for a period of time on a server that is accessible from the internet. The file can be downloaded without authentication from anyone knowing the url.
The controller has no evidence of someone downloading the file because the web server hosting the file keeps no logs, or not all logs for the full period of time that file was available for download are kept on the server because they get automatically rotated.
In this case, does the controller need to notify the supervisory authority? Even if there is no evidence of a breach?
Case 2: say a web application available from the internet grants access to some users to sensitive personal data. This is the primary use case for this web app. The website uses https to encrypt data in transit. For some configuration error on the web server, https gets disabled and all traffic to this website is in clear for a period of time.
In this second case, does the controller need to notify the supervisory authority? Even if there is no evidence of a breach because no man in the middle attack was detected?
gdpr
asked 9 hours ago
SimonSimon
1062 bronze badges
New contributor
Simon is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
In Art. 33, the GDPR specifies that a controller must notify a personal data breach to the supervisory authority after having become aware of it.
Case 1: A database dump with personal data is hosted for a period of time on a server that is accessible from the internet. The file can be downloaded without authentication from anyone knowing the url.
The controller has no evidence of someone downloading the file because the web server hosting the file keeps no logs, or not all logs for the full period of time that file was available for download are kept on the server because they get automatically rotated.
In this case, does the controller need to notify the supervisory authority? Even if there is no evidence of a breach?
Case 2: say a web application available from the internet grants access to some users to sensitive personal data. This is the primary use case for this web app. The website uses https to encrypt data in transit. For some configuration error on the web server, https gets disabled and all traffic to this website is in clear for a period of time.
In this second case, does the controller need to notify the supervisory authority? Even if there is no evidence of a breach because no man in the middle attack was detected?
gdpr
asked 9 hours ago
SimonSimon
1062 bronze badges
New contributor
Simon is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
In Art. 33, the GDPR specifies that a controller must notify a personal data breach to the supervisory authority after having become aware of it.
Case 1: A database dump with personal data is hosted for a period of time on a server that is accessible from the internet. The file can be downloaded without authentication from anyone knowing the url.
The controller has no evidence of someone downloading the file because the web server hosting the file keeps no logs, or not all logs for the full period of time that file was available for download are kept on the server because they get automatically rotated.
In this case, does the controller need to notify the supervisory authority? Even if there is no evidence of a breach?
Case 2: say a web application available from the internet grants access to some users to sensitive personal data. This is the primary use case for this web app. The website uses https to encrypt data in transit. For some configuration error on the web server, https gets disabled and all traffic to this website is in clear for a period of time.
In this second case, does the controller need to notify the supervisory authority? Even if there is no evidence of a breach because no man in the middle attack was detected?
gdpr
asked 9 hours ago
SimonSimon
1062 bronze badges
New contributor
Simon is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
In Art. 33, the GDPR specifies that a controller must notify a personal data breach to the supervisory authority after having become aware of it.
Case 1: A database dump with personal data is hosted for a period of time on a server that is accessible from the internet. The file can be downloaded without authentication from anyone knowing the url.
The controller has no evidence of someone downloading the file because the web server hosting the file keeps no logs, or not all logs for the full period of time that file was available for download are kept on the server because they get automatically rotated.
In this case, does the controller need to notify the supervisory authority? Even if there is no evidence of a breach?
Case 2: say a web application available from the internet grants access to some users to sensitive personal data. This is the primary use case for this web app. The website uses https to encrypt data in transit. For some configuration error on the web server, https gets disabled and all traffic to this website is in clear for a period of time.
In this second case, does the controller need to notify the supervisory authority? Even if there is no evidence of a breach because no man in the middle attack was detected?
gdpr
gdpr
asked 9 hours ago
SimonSimon
1062 bronze badges
New contributor
Simon is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 9 hours ago
SimonSimon
1062 bronze badges
New contributor
Simon is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 9 hours ago
SimonSimon
1062 bronze badges
New contributor
Simon is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 9 hours ago
SimonSimon
1062 bronze badges
asked 9 hours ago
SimonSimon
1062 bronze badges
1062 bronze badges
New contributor
Simon is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Simon is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
The GDPR gives controllers a lot of latitude. They must decide on the correct course of action taking into account the possible risks to data subjects. Specifically, no notification of the authority is necessary if “the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.”
In your scenario 1, you suggest that there is no breach because there is no evidence that the data was improperly accessed.
This analysis is faulty: the controller is aware that the data was not properly secured, and cannot rule out that the data was improperly accessed. I would argue this fits the description of a “breach of security leading to the accidental or unlawful … unauthorised disclosure of … personal data” (compare the definition of a data breach in Art 4(12)). Thus, a data breach has happened.
The question whether the supervisory authority has to be notified of that breach is more debatable. The controller must assess the likelihood of risks to the data subjects. Here, they can perhaps argue that the risk of disclosure is low. However, the nature of the breached data would also be relevant.
If in doubt, the controller should make the notification. The goal of the GDPR is not to punish unlucky companies that suffer a breach, but to protect personal data. Thus, fixing mistakes and cooperating with the supervisory authorities is likely the best approach for most companies.
In your second scenario, the data is sensitive – its disclosure has a high risk for data subjects. However, the risk of someone intercepting this data is debatable. Does the risk of interception balance out the sensitivity of the data? That's the data controller's call, but I don't think so. A notification would seem appropriate here.
As a technical remark, simply offering HTTPS is not sufficient to prevent MitM attacks – users must be forced to use encrypted connections. If a controller sees MitM as a risk, they are required by Art 24 to take appropriate technical measures. Here HSTS and HSTS preload would prevent the connections from being downgraded to HTTP. Instead of offering insecure connections, the site would become inaccessible. A complementary strategy is to not serve content over HTTP, but have the HTTP server only issue a permanent redirect to the HTTPS URL.
answered 7 hours ago
amonamon
1,7903 silver badges11 bronze badges
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "617"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Simon is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2flaw.stackexchange.com%2fquestions%2f43356%2fgdpr-compliance-notification-of-data-breach%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
The GDPR gives controllers a lot of latitude. They must decide on the correct course of action taking into account the possible risks to data subjects. Specifically, no notification of the authority is necessary if “the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.”
In your scenario 1, you suggest that there is no breach because there is no evidence that the data was improperly accessed.
This analysis is faulty: the controller is aware that the data was not properly secured, and cannot rule out that the data was improperly accessed. I would argue this fits the description of a “breach of security leading to the accidental or unlawful … unauthorised disclosure of … personal data” (compare the definition of a data breach in Art 4(12)). Thus, a data breach has happened.
The question whether the supervisory authority has to be notified of that breach is more debatable. The controller must assess the likelihood of risks to the data subjects. Here, they can perhaps argue that the risk of disclosure is low. However, the nature of the breached data would also be relevant.
If in doubt, the controller should make the notification. The goal of the GDPR is not to punish unlucky companies that suffer a breach, but to protect personal data. Thus, fixing mistakes and cooperating with the supervisory authorities is likely the best approach for most companies.
In your second scenario, the data is sensitive – its disclosure has a high risk for data subjects. However, the risk of someone intercepting this data is debatable. Does the risk of interception balance out the sensitivity of the data? That's the data controller's call, but I don't think so. A notification would seem appropriate here.
As a technical remark, simply offering HTTPS is not sufficient to prevent MitM attacks – users must be forced to use encrypted connections. If a controller sees MitM as a risk, they are required by Art 24 to take appropriate technical measures. Here HSTS and HSTS preload would prevent the connections from being downgraded to HTTP. Instead of offering insecure connections, the site would become inaccessible. A complementary strategy is to not serve content over HTTP, but have the HTTP server only issue a permanent redirect to the HTTPS URL.
answered 7 hours ago
amonamon
1,7903 silver badges11 bronze badges
add a comment |
The GDPR gives controllers a lot of latitude. They must decide on the correct course of action taking into account the possible risks to data subjects. Specifically, no notification of the authority is necessary if “the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.”
In your scenario 1, you suggest that there is no breach because there is no evidence that the data was improperly accessed.
This analysis is faulty: the controller is aware that the data was not properly secured, and cannot rule out that the data was improperly accessed. I would argue this fits the description of a “breach of security leading to the accidental or unlawful … unauthorised disclosure of … personal data” (compare the definition of a data breach in Art 4(12)). Thus, a data breach has happened.
The question whether the supervisory authority has to be notified of that breach is more debatable. The controller must assess the likelihood of risks to the data subjects. Here, they can perhaps argue that the risk of disclosure is low. However, the nature of the breached data would also be relevant.
If in doubt, the controller should make the notification. The goal of the GDPR is not to punish unlucky companies that suffer a breach, but to protect personal data. Thus, fixing mistakes and cooperating with the supervisory authorities is likely the best approach for most companies.
In your second scenario, the data is sensitive – its disclosure has a high risk for data subjects. However, the risk of someone intercepting this data is debatable. Does the risk of interception balance out the sensitivity of the data? That's the data controller's call, but I don't think so. A notification would seem appropriate here.
As a technical remark, simply offering HTTPS is not sufficient to prevent MitM attacks – users must be forced to use encrypted connections. If a controller sees MitM as a risk, they are required by Art 24 to take appropriate technical measures. Here HSTS and HSTS preload would prevent the connections from being downgraded to HTTP. Instead of offering insecure connections, the site would become inaccessible. A complementary strategy is to not serve content over HTTP, but have the HTTP server only issue a permanent redirect to the HTTPS URL.
answered 7 hours ago
amonamon
1,7903 silver badges11 bronze badges
add a comment |
The GDPR gives controllers a lot of latitude. They must decide on the correct course of action taking into account the possible risks to data subjects. Specifically, no notification of the authority is necessary if “the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.”
In your scenario 1, you suggest that there is no breach because there is no evidence that the data was improperly accessed.
This analysis is faulty: the controller is aware that the data was not properly secured, and cannot rule out that the data was improperly accessed. I would argue this fits the description of a “breach of security leading to the accidental or unlawful … unauthorised disclosure of … personal data” (compare the definition of a data breach in Art 4(12)). Thus, a data breach has happened.
The question whether the supervisory authority has to be notified of that breach is more debatable. The controller must assess the likelihood of risks to the data subjects. Here, they can perhaps argue that the risk of disclosure is low. However, the nature of the breached data would also be relevant.
If in doubt, the controller should make the notification. The goal of the GDPR is not to punish unlucky companies that suffer a breach, but to protect personal data. Thus, fixing mistakes and cooperating with the supervisory authorities is likely the best approach for most companies.
In your second scenario, the data is sensitive – its disclosure has a high risk for data subjects. However, the risk of someone intercepting this data is debatable. Does the risk of interception balance out the sensitivity of the data? That's the data controller's call, but I don't think so. A notification would seem appropriate here.
As a technical remark, simply offering HTTPS is not sufficient to prevent MitM attacks – users must be forced to use encrypted connections. If a controller sees MitM as a risk, they are required by Art 24 to take appropriate technical measures. Here HSTS and HSTS preload would prevent the connections from being downgraded to HTTP. Instead of offering insecure connections, the site would become inaccessible. A complementary strategy is to not serve content over HTTP, but have the HTTP server only issue a permanent redirect to the HTTPS URL.
answered 7 hours ago
amonamon
1,7903 silver badges11 bronze badges
The GDPR gives controllers a lot of latitude. They must decide on the correct course of action taking into account the possible risks to data subjects. Specifically, no notification of the authority is necessary if “the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.”
In your scenario 1, you suggest that there is no breach because there is no evidence that the data was improperly accessed.
This analysis is faulty: the controller is aware that the data was not properly secured, and cannot rule out that the data was improperly accessed. I would argue this fits the description of a “breach of security leading to the accidental or unlawful … unauthorised disclosure of … personal data” (compare the definition of a data breach in Art 4(12)). Thus, a data breach has happened.
The question whether the supervisory authority has to be notified of that breach is more debatable. The controller must assess the likelihood of risks to the data subjects. Here, they can perhaps argue that the risk of disclosure is low. However, the nature of the breached data would also be relevant.
If in doubt, the controller should make the notification. The goal of the GDPR is not to punish unlucky companies that suffer a breach, but to protect personal data. Thus, fixing mistakes and cooperating with the supervisory authorities is likely the best approach for most companies.
In your second scenario, the data is sensitive – its disclosure has a high risk for data subjects. However, the risk of someone intercepting this data is debatable. Does the risk of interception balance out the sensitivity of the data? That's the data controller's call, but I don't think so. A notification would seem appropriate here.
As a technical remark, simply offering HTTPS is not sufficient to prevent MitM attacks – users must be forced to use encrypted connections. If a controller sees MitM as a risk, they are required by Art 24 to take appropriate technical measures. Here HSTS and HSTS preload would prevent the connections from being downgraded to HTTP. Instead of offering insecure connections, the site would become inaccessible. A complementary strategy is to not serve content over HTTP, but have the HTTP server only issue a permanent redirect to the HTTPS URL.
answered 7 hours ago
amonamon
1,7903 silver badges11 bronze badges
answered 7 hours ago
amonamon
1,7903 silver badges11 bronze badges
answered 7 hours ago
amonamon
1,7903 silver badges11 bronze badges
answered 7 hours ago
amonamon
1,7903 silver badges11 bronze badges
1,7903 silver badges11 bronze badges
add a comment |
add a comment |
Simon is a new contributor. Be nice, and check out our Code of Conduct.
Simon is a new contributor. Be nice, and check out our Code of Conduct.
Simon is a new contributor. Be nice, and check out our Code of Conduct.
Simon is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Law Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2flaw.stackexchange.com%2fquestions%2f43356%2fgdpr-compliance-notification-of-data-breach%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
