Hacked - Do I have to inform my customers about a data breach?

A Data Breach can occur even under the best of circumstances. If a loss or a so-called "personal data breach" occurs, the supervisory authority must be notified within 72 hours pursuant to Art. 33 GDPR. If there is also a high risk for the data subject(s), the breach must also be notified to the data subject pursuant to Art. 34 GDPR.

The aim of the notification requirements is not to punish a company for any misconduct, but rather to minimize the risks - resulting from the breach - for the data subjects.

Which data breaches must be reported to the supervisory authority?

If there is a personal data breach, this must be reported to the supervisory authority. Such a breach of security occurs when it leads to

• destruction,
• loss,
• alteration,
• unauthorized disclosure or
• unauthorized access of the personal data transmitted, stored or otherwise processed.

In terms of its content, the notification to the supervisory authority must contain at least a description of the nature of the personal data breach, the contact details of the data protection officer, a description of the likely consequences, and a description of measures already taken and proposed. The notification must be made by the data controllers themselves. Accordingly, if a breach has occurred at a processor, the notification must be made by the controller (principal) and not the processor.

The notification to the supervisory authority is made independently of the notification to the data subjects themselves. Having to inform customers about such a data protection incident can also have an impact on future business relationships, so such a notification should also be transparent about the protective measures taken so as not to forfeit the last trust of customers.

Do I have to notify my customer?

For this reason, with regard to the notification obligation (of the data subjects), a consideration must be made as to what extent the personal rights and freedoms of the data subjects are endangered by the data breach. According to Art. 34 GDPR, this is regularly the case if there is a high risk. Such a high risk exists if a forecast shows that a low level of damage is either highly likely to occur or that the damage (with a low probability of occurrence) could be high.

This forecast must also include whether notification could mitigate the risks to affected individuals. In such a case, notification to the data subjects would also be considered mandatory in any case.

Moreover, data subjects within the meaning of this regulation can only be natural persons, because otherwise no personal data would be affected.

Are there exceptions to the
notification obligation?

There are some exceptions to this notification obligation according to Article 34 (3) of the GDPR. However, all exceptions are based on the fact that either measures have already been taken before or immediately after the incident, which reduce the risk for the data subjects to an acceptable (see above) risk. Thus, in the case of a Data Breach in which - according to the state of the art - encrypted data has been lost, notification is generally not required.

If notification is only possible with an enormous amount of effort (e.g., due to the large number of people affected), public announcement of the incident is also possible as an alternative.

In summary, in the event of a data protection incident, notification can only be dispensed with in cases where the risk to the data subjects is very low.