Data breaches happen. Yet, not all kinds of data breaches entail obligations under the GDPR. Companies often struggle to identify what is a "personal data breach" within the meaning of the GDPR.
No company is immune to the potential risk of a data breach. The number of large data breaches significantly grows from year to year, as this overview shows. Mishandling the detection or communication related to data breaches may even result in shares dropping or customer dissatisfaction.
If a "personal data breach" occurs, the GDPR contains respective obligations to:
- notify the data protection authority and, in some instances, also the data subjects affected by the data breach (e.g. customers, employees, etc.),
- document the "personal data breaches" as they have been detected,
- as well as certain additional compliance obligations in this regard (e.g. to be able to detect a "personal data breach" in a timely manner after it has occurred).
Violations of the respective obligations can be subject to significant fines. It is therefore important for companies to have a clear picture on their obligations under the GDPR.
Further, as notifying a data protection authority necessarily entails letting them know which of the company’s technical or organisational measures did not work to their full extent, it is in the company's own interest to be fully aware of when such notification obligation applies and when it does not (i.e. what constitutes a "personal data breach" under the GDPR and what does not).
Although containing some examples, the guidelines on personal data breach notifications from the Article 29 Data Protection Working Party do not really help in this regard. Companies, however, bear the burden of proof that a particular data breach (in the usual sense of the term) did not constitute a "personal data breach" within the meaning of the GDPR.
The GDPR defines a personal data breach as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed". Let's have a look at the different elements of the definition:
"A breach of security …"
A "personal data breach" requires an infringing action, either an act or an omission (leading to some infringement result – as described in more detail below). The concept of a breach of "security" entails two principles:
Violations of GDPR provisions not relating to security are not a "breach of security". Thus, if a company violates, for example, its information obligation towards data subjects under the GDPR, this does not constitute a "breach of security".
The initial points of reference are the appropriate technical and organisational measures which controllers and processors are obliged to implement (i.e. violations of one or more elements of the information security's triad of "confidentiality", "integrity" and "availability" (also known as the "CIA triad")). If a company has implemented only insufficient measures or not implemented any security measures at all, this could also constitute a breach of security under the definition.
"… leading to …"
The breach of security has to lead to an infringement result. In other words, in legal terms, it has to be "conditio sine qua non" for the relevant infringement result. The pure possibility that the breach of security will result in a relevant infringement is not sufficient. If an infringement result arises, but such result is not due to a "breach of security", this does not fall under the GDPR's definition of a "personal data breach".
"… the accidental or unlawful …"
The infringement result (as described in more detail below) can be caused by accident, negligence or wilful misconduct. Thus not only fault, but also breaches due to chance or force majeure are covered. A planned system outage or maintenance, however, is neither accidental nor unlawful; planned measures are not in scope of the "personal data breach" definition. Actions that are taken by a company’s own employees against explicit instructions are considered "unlawful". The same principle holds for violations of the duty to implement appropriate technical and organisational measures.
"… destruction, loss, alteration, unauthorised disclosure of, or access to …"
Under the "personal data breach" definition, only five infringement results are considered relevant. Destruction, loss and alteration refer to the key principles of "integrity" and "availability", while unauthorised disclosure and access refer to the key principle of "confidentiality".
Destruction is where the data no longer exists, or no longer exists in a form that is of any use to the controller or a third party (e.g. degaussing physical hard-disks).
Loss is where the data may still exist, but the controller has lost control or access to it, or no longer has it in its possession. This also encompasses a situation where data has been encrypted by a third party and no back-up exists. If a back-up exists, the data is not lost. As a controller or processor is usually not in a position to fully assess the duration of a loss immediately following a personal data breach, temporary losses also fall within the definition.
Alteration refers to the data’s informative value and not to the existence of the data itself. Alteration is where personal data has been modified, corrupted, or is no longer complete.
Disclosures of, or access to, personal data constitute a relevant infringement result only if they are "unauthorised", i.e. such disclosure or access is not justified by a ground of justification under the GDPR (e.g. consent or overriding legitimate interests). Disclosure requires an active act of the controller or processor (or one of its employees) to make personal data available to recipients who are not authorized to receive the personal data, whereas access is already fulfilled if persons are able to view personal data which they are not supposed to see.
"… personal data …"
A "personal data breach" under the GDPR requires that the infringing act (i.e. "breach of security") and the relevant infringement result (i.e. "destruction, loss, alteration, unauthorised disclosure or access") relate to personal data, which also includes encrypted data.
"… transmitted, stored or otherwise processed"
This element of the definition clarifies that no processing activity is exempt from the "personal data breach" definition.
Examples of "personal data breaches"
The following situations may be relevant under the GDPR definition of a "personal data breach" and, thus, entail respective notification, documentation obligations and requirements for the compliance organisation:
Targeted attacks by third parties, such as hacker attacks, phishing attacks or access by unauthorized employees;
- identity theft;
- lost or stolen notebooks, USB sticks or other documents containing personal data (even if encrypted);
- failure or inadequate encryption in the transmission or transport of data;leaked passwords;
- unlocked storage of (personnel) files, to the extent that unauthorized persons can gain access to such files;
- encryption of the company's own IT infrastructure by an attacker (e.g. in course of a ransomware attack) without a backup;
- loss of decryption keys (provided that no unencrypted backup of the encrypted data exists);
- technical errors resulting in personal data being public;
- interruption or critical impairment of one's own service, e.g. in a hospital;
- break-in to a server room accompanied by destruction or loss of backup storage media;
- a fire or a water leak in the server room that paralyzes a server;
- lack of access or entry mechanisms to electronic processing machines;
- accidental deactivation of software or hardware based security systems;
- failure to accompany external visitors in buildings where personal data can be accessed; or
- emails or other messages sent to the wrong address / recipients.
As can be seen from the above, the individual elements of the GDPR's "personal data breach" definition are itself subject to interpretation. Whereas the above outline summarizes legal views and examples presented in legal commentaries and the Article 29 Data Protection Working Party guidance, companies should closely monitor if national data protection authorities or courts form different views on one or more elements of the "personal data breach" definition and – if this is the case – companies should adapt their compliance measures accordingly.