Provision of the Data Protection Authority on the notification of personal data breach
On July 30, 2019, the Italian Data Protection Authority issued Provision no. 159 concerning the notification of data breach: the measure illustrates the procedures, terms and content for a proper notification procedure in the event of violation of personal data.
The aforementioned measure is addressed both to the Data Controller and Data Processor (art. 33 GDPR) and to the competent Authorities appointed for the prevention, investigation, detection and prosecution of crimes or execution of criminal penalties, as well as the free movement of such data (Legislative Decree no. 51/2018, art. 26), also making reference to art. 65 of Legislative Decree no. 82/2005 regarding the electronic methods of the notification itself.
The Provision also incorporates an Annex which reaffirms in the very first instance, as already expressed by the GDPR in art. 33, that the Data Controllers are required to notify the Data Protection Authority of breaches of personal data that result in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed, even in the context of electronic communications, unless the violation is unlikely to represent a risk to the rights and freedoms of the data subject.
The Annex (directly editable pdf) allows a clear and rigorous description of the event to be drawn up, including all the relevant and specific information of the particular case, including:
- the type of notification;
- the data of the Data Controller and of the subjects engaged in the processing;
- summary information on the violation, the time when the data breach was known;
- the nature, source and description of the event itself (both in summary and extended form);
- the data involved, the number and categories of subjects to which it refers;
- the IT infrastructure infringed and the security measures taken;
- the possible consequences and seriousness of the breach;
- the possible negative effects on the rights and freedoms of data subjects;
- the measures taken in response to the breach and whether there is a need for communication to the data subjects.
In conclusion, the Provision establishes that the time limits, content and methods of communication of breaches of personal data indicated in the:
- provision on security measures and modalities of exchange of personal data between public administrations of July 2, 2015;
- in the guidelines on Health Dossier of 4 June 2015;
- the general regulatory provision on biometrics of 12 November 2014;
- the provision on the implementation of the discipline on the communication of personal data breach of April 4, 2013;
- the provision containing rules on the flow of information in the banking sector and the tracking of banking transactions of 12 May 2011,
shall be deemed to have been deleted and replaced by the instructions of the Annex referred to above.