GDPR Compliance - notification of data breachIs it possible for non-EU companies to avoid GDPR regulatory...
Word for giving preference to the oldest child
UX writing: When to use "we"?
Why is “deal 6 damage” a legit phrase?
Why didn't General Martok receive discommendation in Star Trek: Deep Space Nine?
What does 「ちんちんかいかい」 mean?
Academic progression in Germany, what happens after a postdoc? What is the next step?
Stationing Callouts using VBScript Labeling in ArcMap?
What Marvel character has this 'W' symbol?
Is it unprofessional to mention your cover letter and resume are best viewed in Chrome?
What parameters are to be considered when choosing a MOSFET?
Password management for kids - what's a good way to start?
Value of a limit.
Best practice for keeping temperature constant during film development at home
What kind of horizontal stabilizer does a Boeing 737 have?
How does the barbarian bonus damage interact with two weapon fighting?
What force enables us to walk? Friction or normal reaction?
Why are we moving in circles with a tandem kayak?
Rampant sharing of authorship among colleagues in the name of "collaboration". Is not taking part in it a death knell for a future in academia?
Can I shorten this filter, that finds disk sizes over 100G?
No Shirt, No Shoes, Service
Were there any unmanned expeditions to the moon that returned to Earth prior to Apollo?
Balancing Humanoid fantasy races: Elves
How did Biff return to 2015 from 1955 without a lightning strike?
Russian pronunciation of /etc (a directory)
GDPR Compliance - notification of data breach
Is it possible for non-EU companies to avoid GDPR regulatory issues through filters and firewalls?GDPR and logging which user accessed which personal informationHow to satisfy GDPR's consent requirement for IP logging?GDPR privacy policy - Data controller vs Data processor“Right of access by the data subject” if the IP address is the only personal dataGDPR - am I a data controller as an app owner if I do not have access to the data?GDPR and personal data that gets crawled and ends up on other websitesResponsible GDPR data protection authority (DPA) responsible for non-EU companies?Cause of action for data processor where the data controller neglects to notify supervisory authorityIs a public IP address classified as “personal data” for a third party under EU law?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}
In Art. 33, the GDPR specifies that a controller must notify a personal data breach to the supervisory authority after having become aware of it.
Case 1: A database dump with personal data is hosted for a period of time on a server that is accessible from the internet. The file can be downloaded without authentication from anyone knowing the url.
The controller has no evidence of someone downloading the file because the web server hosting the file keeps no logs, or not all logs for the full period of time that file was available for download are kept on the server because they get automatically rotated.
In this case, does the controller need to notify the supervisory authority? Even if there is no evidence of a breach?
Case 2: say a web application available from the internet grants access to some users to sensitive personal data. This is the primary use case for this web app. The website uses https to encrypt data in transit. For some configuration error on the web server, https gets disabled and all traffic to this website is in clear for a period of time.
In this second case, does the controller need to notify the supervisory authority? Even if there is no evidence of a breach because no man in the middle attack was detected?
gdpr
asked 8 hours ago
SimonSimon
1062 bronze badges
New contributor
Simon is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
In Art. 33, the GDPR specifies that a controller must notify a personal data breach to the supervisory authority after having become aware of it.
Case 1: A database dump with personal data is hosted for a period of time on a server that is accessible from the internet. The file can be downloaded without authentication from anyone knowing the url.
The controller has no evidence of someone downloading the file because the web server hosting the file keeps no logs, or not all logs for the full period of time that file was available for download are kept on the server because they get automatically rotated.
In this case, does the controller need to notify the supervisory authority? Even if there is no evidence of a breach?
Case 2: say a web application available from the internet grants access to some users to sensitive personal data. This is the primary use case for this web app. The website uses https to encrypt data in transit. For some configuration error on the web server, https gets disabled and all traffic to this website is in clear for a period of time.
In this second case, does the controller need to notify the supervisory authority? Even if there is no evidence of a breach because no man in the middle attack was detected?
gdpr
asked 8 hours ago
SimonSimon
1062 bronze badges
New contributor
Simon is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
In Art. 33, the GDPR specifies that a controller must notify a personal data breach to the supervisory authority after having become aware of it.
Case 1: A database dump with personal data is hosted for a period of time on a server that is accessible from the internet. The file can be downloaded without authentication from anyone knowing the url.
The controller has no evidence of someone downloading the file because the web server hosting the file keeps no logs, or not all logs for the full period of time that file was available for download are kept on the server because they get automatically rotated.
In this case, does the controller need to notify the supervisory authority? Even if there is no evidence of a breach?
Case 2: say a web application available from the internet grants access to some users to sensitive personal data. This is the primary use case for this web app. The website uses https to encrypt data in transit. For some configuration error on the web server, https gets disabled and all traffic to this website is in clear for a period of time.
In this second case, does the controller need to notify the supervisory authority? Even if there is no evidence of a breach because no man in the middle attack was detected?
gdpr
asked 8 hours ago
SimonSimon
1062 bronze badges
New contributor
Simon is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
In Art. 33, the GDPR specifies that a controller must notify a personal data breach to the supervisory authority after having become aware of it.
Case 1: A database dump with personal data is hosted for a period of time on a server that is accessible from the internet. The file can be downloaded without authentication from anyone knowing the url.
The controller has no evidence of someone downloading the file because the web server hosting the file keeps no logs, or not all logs for the full period of time that file was available for download are kept on the server because they get automatically rotated.
In this case, does the controller need to notify the supervisory authority? Even if there is no evidence of a breach?
Case 2: say a web application available from the internet grants access to some users to sensitive personal data. This is the primary use case for this web app. The website uses https to encrypt data in transit. For some configuration error on the web server, https gets disabled and all traffic to this website is in clear for a period of time.
In this second case, does the controller need to notify the supervisory authority? Even if there is no evidence of a breach because no man in the middle attack was detected?
gdpr
gdpr
asked 8 hours ago
SimonSimon
1062 bronze badges
New contributor
Simon is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 8 hours ago
SimonSimon
1062 bronze badges
New contributor
Simon is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 8 hours ago
SimonSimon
1062 bronze badges
New contributor
Simon is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 8 hours ago
SimonSimon
1062 bronze badges
asked 8 hours ago
SimonSimon
1062 bronze badges
1062 bronze badges
New contributor
Simon is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Simon is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
The GDPR gives controllers a lot of latitude. They must decide on the correct course of action taking into account the possible risks to data subjects. Specifically, no notification of the authority is necessary if “the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.”
In your scenario 1, you suggest that there is no breach because there is no evidence that the data was improperly accessed.
This analysis is faulty: the controller is aware that the data was not properly secured, and cannot rule out that the data was improperly accessed. I would argue this fits the description of a “breach of security leading to the accidental or unlawful … unauthorised disclosure of … personal data” (compare the definition of a data breach in Art 4(12)). Thus, a data breach has happened.
The question whether the supervisory authority has to be notified of that breach is more debatable. The controller must assess the likelihood of risks to the data subjects. Here, they can perhaps argue that the risk of disclosure is low. However, the nature of the breached data would also be relevant.
If in doubt, the controller should make the notification. The goal of the GDPR is not to punish unlucky companies that suffer a breach, but to protect personal data. Thus, fixing mistakes and cooperating with the supervisory authorities is likely the best approach for most companies.
In your second scenario, the data is sensitive – its disclosure has a high risk for data subjects. However, the risk of someone intercepting this data is debatable. Does the risk of interception balance out the sensitivity of the data? That's the data controller's call, but I don't think so. A notification would seem appropriate here.
As a technical remark, simply offering HTTPS is not sufficient to prevent MitM attacks – users must be forced to use encrypted connections. If a controller sees MitM as a risk, they are required by Art 24 to take appropriate technical measures. Here HSTS and HSTS preload would prevent the connections from being downgraded to HTTP. Instead of offering insecure connections, the site would become inaccessible. A complementary strategy is to not serve content over HTTP, but have the HTTP server only issue a permanent redirect to the HTTPS URL.
answered 6 hours ago
amonamon
1,7903 silver badges11 bronze badges
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "617"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Simon is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2flaw.stackexchange.com%2fquestions%2f43356%2fgdpr-compliance-notification-of-data-breach%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
The GDPR gives controllers a lot of latitude. They must decide on the correct course of action taking into account the possible risks to data subjects. Specifically, no notification of the authority is necessary if “the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.”
In your scenario 1, you suggest that there is no breach because there is no evidence that the data was improperly accessed.
This analysis is faulty: the controller is aware that the data was not properly secured, and cannot rule out that the data was improperly accessed. I would argue this fits the description of a “breach of security leading to the accidental or unlawful … unauthorised disclosure of … personal data” (compare the definition of a data breach in Art 4(12)). Thus, a data breach has happened.
The question whether the supervisory authority has to be notified of that breach is more debatable. The controller must assess the likelihood of risks to the data subjects. Here, they can perhaps argue that the risk of disclosure is low. However, the nature of the breached data would also be relevant.
If in doubt, the controller should make the notification. The goal of the GDPR is not to punish unlucky companies that suffer a breach, but to protect personal data. Thus, fixing mistakes and cooperating with the supervisory authorities is likely the best approach for most companies.
In your second scenario, the data is sensitive – its disclosure has a high risk for data subjects. However, the risk of someone intercepting this data is debatable. Does the risk of interception balance out the sensitivity of the data? That's the data controller's call, but I don't think so. A notification would seem appropriate here.
As a technical remark, simply offering HTTPS is not sufficient to prevent MitM attacks – users must be forced to use encrypted connections. If a controller sees MitM as a risk, they are required by Art 24 to take appropriate technical measures. Here HSTS and HSTS preload would prevent the connections from being downgraded to HTTP. Instead of offering insecure connections, the site would become inaccessible. A complementary strategy is to not serve content over HTTP, but have the HTTP server only issue a permanent redirect to the HTTPS URL.
answered 6 hours ago
amonamon
1,7903 silver badges11 bronze badges
add a comment |
The GDPR gives controllers a lot of latitude. They must decide on the correct course of action taking into account the possible risks to data subjects. Specifically, no notification of the authority is necessary if “the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.”
In your scenario 1, you suggest that there is no breach because there is no evidence that the data was improperly accessed.
This analysis is faulty: the controller is aware that the data was not properly secured, and cannot rule out that the data was improperly accessed. I would argue this fits the description of a “breach of security leading to the accidental or unlawful … unauthorised disclosure of … personal data” (compare the definition of a data breach in Art 4(12)). Thus, a data breach has happened.
The question whether the supervisory authority has to be notified of that breach is more debatable. The controller must assess the likelihood of risks to the data subjects. Here, they can perhaps argue that the risk of disclosure is low. However, the nature of the breached data would also be relevant.
If in doubt, the controller should make the notification. The goal of the GDPR is not to punish unlucky companies that suffer a breach, but to protect personal data. Thus, fixing mistakes and cooperating with the supervisory authorities is likely the best approach for most companies.
In your second scenario, the data is sensitive – its disclosure has a high risk for data subjects. However, the risk of someone intercepting this data is debatable. Does the risk of interception balance out the sensitivity of the data? That's the data controller's call, but I don't think so. A notification would seem appropriate here.
As a technical remark, simply offering HTTPS is not sufficient to prevent MitM attacks – users must be forced to use encrypted connections. If a controller sees MitM as a risk, they are required by Art 24 to take appropriate technical measures. Here HSTS and HSTS preload would prevent the connections from being downgraded to HTTP. Instead of offering insecure connections, the site would become inaccessible. A complementary strategy is to not serve content over HTTP, but have the HTTP server only issue a permanent redirect to the HTTPS URL.
answered 6 hours ago
amonamon
1,7903 silver badges11 bronze badges
add a comment |
The GDPR gives controllers a lot of latitude. They must decide on the correct course of action taking into account the possible risks to data subjects. Specifically, no notification of the authority is necessary if “the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.”
In your scenario 1, you suggest that there is no breach because there is no evidence that the data was improperly accessed.
This analysis is faulty: the controller is aware that the data was not properly secured, and cannot rule out that the data was improperly accessed. I would argue this fits the description of a “breach of security leading to the accidental or unlawful … unauthorised disclosure of … personal data” (compare the definition of a data breach in Art 4(12)). Thus, a data breach has happened.
The question whether the supervisory authority has to be notified of that breach is more debatable. The controller must assess the likelihood of risks to the data subjects. Here, they can perhaps argue that the risk of disclosure is low. However, the nature of the breached data would also be relevant.
If in doubt, the controller should make the notification. The goal of the GDPR is not to punish unlucky companies that suffer a breach, but to protect personal data. Thus, fixing mistakes and cooperating with the supervisory authorities is likely the best approach for most companies.
In your second scenario, the data is sensitive – its disclosure has a high risk for data subjects. However, the risk of someone intercepting this data is debatable. Does the risk of interception balance out the sensitivity of the data? That's the data controller's call, but I don't think so. A notification would seem appropriate here.
As a technical remark, simply offering HTTPS is not sufficient to prevent MitM attacks – users must be forced to use encrypted connections. If a controller sees MitM as a risk, they are required by Art 24 to take appropriate technical measures. Here HSTS and HSTS preload would prevent the connections from being downgraded to HTTP. Instead of offering insecure connections, the site would become inaccessible. A complementary strategy is to not serve content over HTTP, but have the HTTP server only issue a permanent redirect to the HTTPS URL.
answered 6 hours ago
amonamon
1,7903 silver badges11 bronze badges
The GDPR gives controllers a lot of latitude. They must decide on the correct course of action taking into account the possible risks to data subjects. Specifically, no notification of the authority is necessary if “the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.”
In your scenario 1, you suggest that there is no breach because there is no evidence that the data was improperly accessed.
This analysis is faulty: the controller is aware that the data was not properly secured, and cannot rule out that the data was improperly accessed. I would argue this fits the description of a “breach of security leading to the accidental or unlawful … unauthorised disclosure of … personal data” (compare the definition of a data breach in Art 4(12)). Thus, a data breach has happened.
The question whether the supervisory authority has to be notified of that breach is more debatable. The controller must assess the likelihood of risks to the data subjects. Here, they can perhaps argue that the risk of disclosure is low. However, the nature of the breached data would also be relevant.
If in doubt, the controller should make the notification. The goal of the GDPR is not to punish unlucky companies that suffer a breach, but to protect personal data. Thus, fixing mistakes and cooperating with the supervisory authorities is likely the best approach for most companies.
In your second scenario, the data is sensitive – its disclosure has a high risk for data subjects. However, the risk of someone intercepting this data is debatable. Does the risk of interception balance out the sensitivity of the data? That's the data controller's call, but I don't think so. A notification would seem appropriate here.
As a technical remark, simply offering HTTPS is not sufficient to prevent MitM attacks – users must be forced to use encrypted connections. If a controller sees MitM as a risk, they are required by Art 24 to take appropriate technical measures. Here HSTS and HSTS preload would prevent the connections from being downgraded to HTTP. Instead of offering insecure connections, the site would become inaccessible. A complementary strategy is to not serve content over HTTP, but have the HTTP server only issue a permanent redirect to the HTTPS URL.
answered 6 hours ago
amonamon
1,7903 silver badges11 bronze badges
answered 6 hours ago
amonamon
1,7903 silver badges11 bronze badges
answered 6 hours ago
amonamon
1,7903 silver badges11 bronze badges
answered 6 hours ago
amonamon
1,7903 silver badges11 bronze badges
1,7903 silver badges11 bronze badges
add a comment |
add a comment |
Simon is a new contributor. Be nice, and check out our Code of Conduct.
Simon is a new contributor. Be nice, and check out our Code of Conduct.
Simon is a new contributor. Be nice, and check out our Code of Conduct.
Simon is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Law Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2flaw.stackexchange.com%2fquestions%2f43356%2fgdpr-compliance-notification-of-data-breach%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
