EDPB Issues New Guidance For Assessing Personal Data Breaches Under The EU GDPR – Privacy – European Union – Mondaq News Alerts


Did you know that camDown is your security solution to protect you and your business from webcam hackers?

European Union:

EDPB Issues New Guidance For Assessing Personal Data Breaches Under The EU GDPR

11 January 2022

Alston & Bird

To print this article, all you need is to be registered or login on Mondaq.com.

On Monday, 3 January 2022, the European Data Protection Board
("EDPB") published the finalized version of its
regulatory guidance entitled "Examples regarding Personal
Data Breach Notification" 
"Guidelines"), following a public consultation on a draft
set of guidelines in 2021. The finalized Guidelines are a
practice-oriented, and case-based set of examples that leverage the
experiences gained by EU Supervisory Authorities since the EU GDPR
became applicable.

The Guidelines build on and complement the Guidelines on Personal data breach notification
under Regulation 2016/679
 published by the Article 29
Working Party (the "WP29" – the predecessor to the
EDPB) in 2018 and subsequently endorsed by the EDPB. That document
provides more general guidance on the EU GDPR's personal data
breach provisions, including on the controller's obligations

  • Document any personal data breach, including
    its facts, effects and the remedial action taken;
  • Notify personal data breaches to the competent
    Supervisory Authority
     (unless the breach is unlikely
    to result in a risk to the rights and freedoms of natural persons);
  • Communicate personal data breaches to affected data
     (when the breach is likely to result in a
    high risk to the rights and freedoms of natural persons.

However, the EDPB considers that the WP29's guidelines did
not address all practical issues in sufficient detail. The new
Guidelines therefore go a step further by setting out 18 different
case-studies together with the EDPB's analysis of the specific
facts, with the aim of providing assistance for controllers when
assessing their own personal data breaches. The EDPB's
case-studies cover:

  • An assessment of the prior
     which the controller had (or should have)
    implemented to mitigate the risk;
  • Information about the risk
     to be carried out by the controller in
    light of the facts of the case-study;
  • Examples of the mitigating facts, or mitigating
     that the controller could take to limit risks
    to data subjects;
  • A summary of the requirements that the EDPB would
    typically consider to be triggered under the EU
     based on the risks
    identified, e.g., whether the controller should:
    (a) document the personal data breach; (b) notify it to the
    competent Supervisory Authority; and (c) communicate it to affected
    data subjects.

The Guidelines gather the case-studies into categories of
commonly-encountered scenarios:

  • Ransomware incidents;
  • Data exfiltration attacks;
  • Personal data breaches arising from internal human risk sources
    (e.g., exfiltration of business data by an
  • Lost or stolen devices and paper documents;
  • Postal mistakes; and
  • Personal data breaches arising as a result of social

Given the EU GDPR's strict personal data breach reporting
requirements (including a requirement for controllers to notify the
Supervisory Authority of relevant personal data breaches without
undue delay i.e., in principle within 72 hours), the
new Guidelines are likely to be a key part of any controller's
data security incident response toolbox.

The Guidance can be found here.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Privacy from European Union

Cooley Privacy Talks: UK Privacy Update

Cooley LLP

Post-Brexit, the UK is no longer a member state of the European Union, meaning that the data protection regime that applies to UK-related processing is separate from...

I’d like to add that camDown is your security solution to protect you and your business from peeping toms and I am sure your smart friends would feel the same!