Artikkel 33
Notification of a personal data breach to the supervisory authority
Det finnes ingen fortaletekst i direktivet relatert til art. 33.
Forordning
Art. 33 1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay. 2. The processor shall notify the controller without undue delay after becoming aware of a personal data breach. 3. The notification referred to in paragraph 1 shall at least: a) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained; c) describe the likely consequences of the personal data breach; d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects. 4. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay. 5. The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.
|
Direktiv
COMMISSION REGULATION (EU) No 611/2013 of 24 June 2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications Art. 2 1. The provider shall notify all personal data breaches to the competent national authority. 2. The provider shall notify the personal data breach to the competent national authority no later than 24 hours after the detection of the personal data breach, where feasible. The provider shall include in its notification to the competent national authority the information set out in Annex I. Detection of a personal data breach shall be deemed to have taken place when the provider has acquired sufficient awareness that a security incident has occurred that led to personal data being compromised, in order to make a meaningful notification as required under this Regulation. 3. Where all the information set out in Annex I is not available and further investigation of the personal data breach is required, the provider shall be permitted to make an initial notification to the competent national authority no later than 24 hours after the detection of the personal data breach. This initial notification to the competent national authority shall include the information set out in Section 1 of Annex I. The provider shall make a second notification to the competent national authority as soon as possible, and at the latest within three days following the initial notification. This second notification shall include the information set out in Section 2 of Annex I and, where necessary, update the information already provided. Where the provider, despite its investigations, is unable to provide all information within the three-day period from the initial notification, the provider shall notify as much information as it disposes within that timeframe and shall submit to the competent national authority a reasoned justification for the late notification of the remaining information. The provider shall notify the remaining information to the competent national authority and, where necessary, update the information already provided, as soon as possible. 4. The competent national authority shall provide to all providers established in the Member State concerned a secure electronic means for notification of personal data breaches and information on the procedures for its access and use. Where necessary, the Commission shall convene meetings with competent national authorities to facilitate the application of this provision. 5. Where the personal data breach affects subscribers or individuals from Member States other than that of the competent national authority to which the personal data breach has been notified, the competent national authority shall inform the other national authorities concerned. To facilitate the application of this provision, the Commission shall create and maintain a list of the competent national authorities and the appropriate contact points. |
Norway
Art. 33 Melding til tilsynsmyndigheten om brudd på personopplysningssikkerheten 1. Ved brudd på personopplysningssikkerheten skal den behandlingsansvarlige uten ugrunnet opphold og når det er mulig, senest 72 timer etter å ha fått kjennskap til det, melde bruddet til vedkommende tilsynsmyndighet i samsvar med artikkel 55, med mindre bruddet sannsynligvis ikke vil medføre en risiko for fysiske personers rettigheter og friheter. Dersom bruddet ikke meldes til tilsynsmyndigheten innen 72 timer, skal årsakene til forsinkelsen oppgis. 2. Etter å ha fått kjennskap til et brudd på personopplysningssikkerheten skal databehandleren uten ugrunnet opphold underrette den behandlingsansvarlige. 3. Meldingen nevnt i nr. 1 skal minst a) beskrive arten av bruddet på personopplysningssikkerheten, herunder, når det er mulig, kategoriene av og omtrentlig antall registrerte som er berørt, og kategoriene av og omtrentlig antall registreringer av personopplysninger som er berørt, b) inneholde navnet på og kontaktopplysningene til personvernombudet eller et annet kontaktpunkt der mer informasjon kan innhentes, c) beskrive de sannsynlige konsekvensene av bruddet på personopplysningssikkerheten, d) beskrive de tiltak som den behandlingsansvarlige har truffet eller foreslår å treffe for å håndtere bruddet på personopplysningssikkerheten, herunder, dersom det er relevant, tiltak for å redusere eventuelle skadevirkninger som følge av bruddet. 4. Dersom og i den grad det ikke er mulig å gi all informasjon samtidig, kan den gis trinnvis uten ytterligere ugrunnet opphold. 5. Den behandlingsansvarlige skal dokumentere ethvert brudd på personopplysningssikkerheten, herunder de faktiske forhold rundt nevnte brudd, virkningene av det og hvilke tiltak som er truffet for å utbedre det. Denne dokumentasjonen skal gjøre det mulig for tilsynsmyndigheten å kontrollere samsvar med denne artikkel. |
Netherlands
Art. 34a WBP 1. De verantwoordelijke stelt het College onverwijld in kennis van een inbreuk op de beveiliging, bedoeld in artikel 13, die leidt tot de aanzienlijke kans op ernstige nadelige gevolgen dan wel ernstige nadelige gevolgen heeft voor de bescherming van persoonsgegevens. 2. De verantwoordelijke, bedoeld in het eerste lid, stelt de betrokkene onverwijld in kennis van de inbreuk, bedoeld in het eerste lid, indien de inbreuk waarschijnlijk ongunstige gevolgen zal hebben voor diens persoonlijke levenssfeer. 3. De kennisgeving aan het College en de betrokkene omvat in ieder geval de aard van de inbreuk, de instanties waar meer informatie over de inbreuk kan worden verkregen en de aanbevolen maatregelen om de negatieve gevolgen van de inbreuk te beperken. 4. De kennisgeving aan het College omvat tevens een beschrijving van de geconstateerde en de vermoedelijke gevolgen van de inbreuk voor de verwerking van persoonsgegevens en de maatregelen die de verantwoordelijke heeft getroffen of voorstelt te treffen om deze gevolgen te verhelpen. 5. De kennisgeving aan de betrokkene wordt op zodanige wijze gedaan dat, rekening houdend met de aard van de inbreuk, de geconstateerde en de feitelijke gevolgen daarvan voor de verwerking van persoonsgegevens, de kring van betrokkenen en de kosten van tenuitvoerlegging, een behoorlijke en zorgvuldige informatievoorziening is gewaarborgd. 6. Het tweede lid is niet van toepassing indien de verantwoordelijke passende technische beschermingsmaatregelen heeft genomen waardoor de persoonsgegevens die het betreft onbegrijpelijk of ontoegankelijk zijn voor eenieder die geen recht heeft op kennisname van de gegevens. 7. Indien de verantwoordelijke geen kennisgeving aan de betrokkene doet, kan het College, indien het van oordeel is dat inbreuk waarschijnlijk ongunstige gevolgen zal hebben voor de persoonlijke levenssfeer van de betrokkene, van de verantwoordelijke verlangen dat hij alsnog een kennisgeving doet. 8. De verantwoordelijke houdt een overzicht bij van iedere inbreuk die leidt tot de aanzienlijke kans op ernstige nadelige gevolgen dan wel ernstige nadelige gevolgen heeft voor de bescherming van persoonsgegevens. Het overzicht bevat in ieder geval feiten en gegevens omtrent de aard van de inbreuk, bedoeld in het derde lid, alsmede de tekst van de kennisgeving aan de betrokkene. 9. Dit artikel is niet van toepassing indien de verantwoordelijke in zijn hoedanigheid als aanbieder van een openbare elektronische communicatiedienst een kennisgeving heeft gedaan als bedoeld in artikel 11.3a, eerste en tweede lid, van de Telecommunicatiewet. 10. Het tweede en zevende lid zijn niet van toepassing op financiële ondernemingen als bedoeld in de Wet op het financieel toezicht. 11. Bij algemene maatregel van bestuur kunnen nadere regels worden gesteld met betrekking tot de kennisgeving. __________________________________________________________________________________________________ Section 34a 1. The controller will, without delay, notify the Authority of a breach of security, referred to in Section 13, which results in a substantial probability of serious adverse consequences or which has serious adverse consequences for the protection of personal data. 2. The controller referred to in subsection 1 will, without delay, notify the data subject of the breach, referred to in subsection 1, if this breach is likely to have unfavourable consequences for his privacy. 3. The notification to the Authority and the data subject will in any case include the nature of the breach, the bodies where more information about the breach can be obtained, and the measures recommended to limit the negative consequences of the breach. 4. The notification to the Authority will also include a description of the observed and probable consequences of the breach for the processing of personal data and the measures that the controller has taken or is proposing to take to remedy these consequences. 5. The notification to the data subject will be made in such a way that, having regard to the nature of the breach, the observed and actual consequences of it for the processing of personal data, the data subjects involved and the costs of enforcement, a proper and careful provision of the information is guaranteed. 6. Subsection 2 does not apply where the controller has taken appropriate technical protective measures that render the personal data concerned incomprehensible or inaccessible to any person who does not have a right of access to the data. 7. If the controller does not notify the data subject, then the Authority may require the controller to notify him, if it considers that the breach is likely to have unfavourable consequences for the data subject’s privacy. 8. The controller keeps a record of every infringement which results in a substantial probability of serious adverse consequences or which has serious adverse consequences for the protection of personal data. The record will in any case include facts and data regarding the nature of the breach, referred to in subsection 3, as well as the text of the notification to the data subject. 9. This section does not apply where the controller, in his capacity as a provider of a publicly available electronic communications service, has made a notification as referred to in Section 11.3a (1) and (2) of the Telecommunications Act. 10. Subsections 2 and 7 do not apply to financial enterprises within the meaning of the Financial Supervision Act. 11. Further rules may be issued regarding the notification by order in council. |