Rina Steenkamp - Privacy and technology

My annotated General Data Protection Regulation

Chapter IV Controller and processor

Section 2 Data security

[Data breach notifications]

Article 31 Notification of a personal data breach to the supervisory authority

October 2013

Article 31(1)

1. In the case of a personal data breach, the controller shall without undue delay notify the personal data breach to the supervisory authority.

Article 31(2)

2. The processor shall alert and inform the controller without undue delay after the establishment of a personal data breach.

Article 31(3)

3. The notification referred to in paragraph 1 must at least:

The information may if necessary be provided in phases.

Article 31(4)

4. The controller shall document any personal data breaches, comprising the facts surrounding the breach, its effects and the remedial action taken. This documentation must be sufficient to enable the supervisory authority to verify compliance with this Article and with Article 30. The documentation shall only include the information necessary for that purpose.

Article 31(4a)

4a. The supervisory authority shall keep a public register of the types of breaches notified.

Article 31(5)

5. The European Data Protection Board shall be entrusted with the task of issuing guidelines, recommendations and best practices in accordance with Article 66 paragraph 1(b) for establishing the data breach and determining the undue delay referred to in paragraphs 1 and 2 and for the particular circumstances in which a controller and a processor is required to notify the personal data breach.

Article 31(6)

6. (deleted)

[Source: October 2013]

January 2012

Article 31(1) [Amended: October 2013]

1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 24 hours after having become aware of it, notify the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours.

Article 31(2) [Amended: October 2013]

2. Pursuant to point (f) of Article 26(2), the processor shall alert and inform the controller immediately after the establishment of a personal data breach.

Article 31(3) [Amended: October 2013]

3. The notification referred to in paragraph 1 must at least:

Article 31(4) [Amended: October 2013]

4. The controller shall document any personal data breaches, comprising the facts surrounding the breach, its effects and the remedial action taken. This documentation must enable the supervisory authority to verify compliance with this Article. The documentation shall only include the information necessary for that purpose.

Article 31(5) [Amended: October 2013]

5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for establishing the data breach referred to in paragraphs 1 and 2 and for the particular circumstances in which a controller and a processor is required to notify the personal data breach.

Article 31(6) [Deleted: October 2013]

6. The Commission may lay down the standard format of such notification to the supervisory authority, the procedures applicable to the notification requirement and the form and the modalities for the documentation referred to in paragraph 4, including the time limits for erasure of the information contained therein. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).

[Source: January 2012 | Context: Proposal from the European Commission]