Guidelines On Personal Data Breach Notification For The European Union Institutions And Bodies

Guidelines on personal data breach notification For the European Union Institutions and Bodies

The Guidelines aim to provide practical advice to the EUI how to comply with the provisions on personal data breaches of articles 34 and 35 of the Regulation on the processing of personal data by EUI.

The Regulation integrates the principles of the General Data Protection Regulation (Regulation (EU) 2016/679, hereafter “GDPR”) including those on personal data breaches into the data protection rules for EU institutions.

The Guidelines provide recommendations and indicate best practices to implement accountability for personal data protection by helping to assess and manage the risks for data protection, privacy and other fundamental rights of individuals in case of a personal data breach. They collect and consolidate the advice the European Data Protection Supervisor (EDPS) has been giving the EUI in the last years, e.g. regarding the first inter-institutional tenders.

These Guidelines outline the approach that EUI should take to adequately respond to a personal data
breach.

The EDPS considers the best practices listed hereafter as a reference when assessing compliance with the Regulation. EUI may choose alternative, equally effective, measures other than the ones presented in this paper taking into account their specific needs. In this case they will need to demonstrate how these measures lead to an equivalent protection of personal data.

EUI should regularly perform an assessment of their procedures on personal data breach. The assessment shall show that the EUI can in principle respond effectively to prevent or to mitigate the risk to an acceptable level of a personal data breach.

The Guidelines describe:
– What a personal data breach is
– How to assess a personal data breach
– How to notify a personal data breach to the EDPS
– How to communicate a personal data breach to the data subject
– How to document a personal data breach
Furthermore, the Guidelines provide a template form of notification of a personal data breach to the EDPS by the EU institutions.

More info on the case here.

Back To Top
×Close search
Search