European data breach notification legislation – EU Regulation 611/2013 and the GDPR

 

Introduction

At present, EU data breach notification legislation is limited in scope: under the 2002 ePrivacy Directive, only telecoms providers must notify authorities and affected individuals of breaches of personal information, and then only in certain circumstances – which are summarised below.

From 25 May 2018, however, the General Data Protection Regulation (GDPR) will require all EU organisations to notify relevant authorities and affected individuals of data breaches.

This page outlines the currently applicable legislation. For information on the GDPR and how it will affect your organisation, please see our GDPR information page >>

 

The ePrivacy Directive (2002/58/EC)

1995’s EU Data Protection Directive is supported by the ePrivacy Directive (2002/58/EC), Article 4 of which states that ‘providers of publicly available electronic communications services are obliged to notify the competent national authorities, and in certain cases also the subscribers and individuals concerned, of personal data breaches’.

 

EU Regulation 611/2013

Commission Regulation (EU) No 611/2013 of 24 June 2013 sets out the details of the ePrivacy Directive’s data breach notification requirements.

Definitions

EU Regulation 611/2013 gives the following definitions:

  • Data breach – "breaches of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the Union." (As defined in the ePrivacy Directive (2002/58/EC).)
  • Provider – "providers of publicly available electronic communications services".

 

Breach notification obligations under EU Regulation 611/2013

Competent national authorities:

  • Providers of publicly available electronic communications services must notify the relevant competent national authority no later than 24 hours after the detection of a personal data breach, where feasible. The information in the notification must include that set out in Annex I of the Regulation.
  • Where all the information set out in Annex I is unavailable and further investigation of the personal data breach is required, providers are permitted to make an initial notification containing the information set out in Section 1 of Annex I within 24 hours of the detection of a breach.
  • A second notification, containing the information set out in Section 2 of Annex I must then be made within three days.
  • If the provider is unable to provide all the required information within three days, it must provide as much information as it can and submit a justification for the late notification of the remaining information, which it must supply as soon as possible.
  • Competent national authorities must provide a secure electronic means for the notification of personal data breaches.
  • Where affected subscribers or individuals from other member states are affected, the competent national authority must inform other relevant national authorities.
  • The European Commission will create and maintain a list of competent national authorities.

Affected subscribers or individuals:

  • Breached providers must also notify affected subscribers or individuals of any breach that is likely to adversely affect their personal data or privacy.
  • Article 3(2) details the circumstances that must be taken into account when determining whether a personal data breach is likely to adversely affect the personal data or privacy of a subscriber or individual. (Circumstances include the nature and content of the personal data concerned, the likely consequences of the data breach for the affected subscriber or individual, and the circumstances of the breach.)
  • Affected subscribers or individuals must be notified of any breach ‘without undue delay’ after its detection, independent of the notification to the relevant competent national authority.
  • Affected individuals and subscribers must be informed of any breach in clear, comprehensible language. The notification must contain all the information set out in Annex II of the Regulation.
  • In exceptional circumstances, and only with the agreement of the competent local authority, providers may delay notifying affected subscribers or individuals if the notification will jeopardise the investigation into the breach.
  • Notification to individuals must be made via appropriately secure communication.
  • Where providers are unable to identify all affected individuals within the appropriate timeframe, the provider may inform them via advertisements in major national or regional media in the relevant member states.
 

Derogation

Notification of a personal data breach to an affected subscriber or individual is not required if the provider has demonstrated to the satisfaction of the competent national authority that it has implemented appropriate technological protection measures that were applied to the data concerned to render it unintelligible by the time of the breach.

 

Further breach notification guidance

The Article 29 Working Party (established by the EU Data Protection Directive) issued Opinion 03/2014 on Personal Data Breach Notification in March 2014. It offers guidance on implementing data breach notification procedures in multiple sectors, not just telecoms, and presents good practices for all data controllers.

 

How to use ISO 27001 to comply with Regulation 611/2013 and the GDPR

ISO 27001 Solutions

If you want to ensure the security of your organisation’s information assets and prepare for the GDPR, we advise implementing an ISMS (information security management system) as set out in the international best-practice standard ISO 27001. ISO 27001 offers a holistic approach to information security that encompasses people, process and technology whilst supporting adherence to Regulation 611/2013 and the GDPR.

For more information on ISO 27001, and to see how IT Governance’s fixed-price ISO 27001 implementation solutions will help you implement the Standard in your organisation at a speed and for a budget appropriate to your individual needs and preferred project approach, please click here »

Information correct as of September 2016