GDPR Compliance - notification of data breachIs it possible for non-EU companies to avoid GDPR regulatory issues through filters and firewalls?GDPR and logging which user accessed which personal informationHow to satisfy GDPR's consent requirement for IP logging?GDPR privacy policy - Data controller vs Data processor“Right of access by the data subject” if the IP address is the only personal dataGDPR - am I a data controller as an app owner if I do not have access to the data?GDPR and personal data that gets crawled and ends up on other websitesResponsible GDPR data protection authority (DPA) responsible for non-EU companies?Cause of action for data processor where the data controller neglects to notify supervisory authorityIs a public IP address classified as “personal data” for a third party under EU law?

How to remove rebar passing through an inaccessible pipe

Why are prop blades not shaped like household fan blades?

How to prevent a single-element caster from being useless against immune foes?

Using Python in a Bash Script

Should I put my name first or last in the team members list?

Scam? Checks via Email

Reducing the time for rolling hash

Coworker mumbles to herself when working, how to ask her to stop?

How and why does the ATR-72 sometimes use reverse thrust to push back from the gate?

How can you tell the version of Ubuntu on a system in a .sh (bash) script?

Easy way to get process information from a window

How to calculate points under the curve?

My employer is refusing to give me the pay that was advertised after an internal job move

Can living where Rare Earth magnetic ore is abundant provide any protection from cosmic radiation?

How does the barbarian bonus damage interact with two weapon fighting?

Translate the beginning of the blessing "Asher Yatzar"

How can flights operated by the same company have such different prices when marketed by another?

What is the oxidation state of Mn in HMn(CO)5?

No Shirt, No Shoes, Service

What Marvel character has this 'W' symbol?

Avoiding Implicit Conversion in Constructor. Explicit keyword doesn't help here

What force enables us to walk? Friction or normal reaction?

How to innovate in OR

What are these hats and the function of those wearing them? worn by the Russian imperial army at Borodino



GDPR Compliance - notification of data breach


Is it possible for non-EU companies to avoid GDPR regulatory issues through filters and firewalls?GDPR and logging which user accessed which personal informationHow to satisfy GDPR's consent requirement for IP logging?GDPR privacy policy - Data controller vs Data processor“Right of access by the data subject” if the IP address is the only personal dataGDPR - am I a data controller as an app owner if I do not have access to the data?GDPR and personal data that gets crawled and ends up on other websitesResponsible GDPR data protection authority (DPA) responsible for non-EU companies?Cause of action for data processor where the data controller neglects to notify supervisory authorityIs a public IP address classified as “personal data” for a third party under EU law?






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








1















In Art. 33, the GDPR specifies that a controller must notify a personal data breach to the supervisory authority after having become aware of it.



Case 1: A database dump with personal data is hosted for a period of time on a server that is accessible from the internet. The file can be downloaded without authentication from anyone knowing the url.

The controller has no evidence of someone downloading the file because the web server hosting the file keeps no logs, or not all logs for the full period of time that file was available for download are kept on the server because they get automatically rotated.



In this case, does the controller need to notify the supervisory authority? Even if there is no evidence of a breach?



Case 2: say a web application available from the internet grants access to some users to sensitive personal data. This is the primary use case for this web app. The website uses https to encrypt data in transit. For some configuration error on the web server, https gets disabled and all traffic to this website is in clear for a period of time.



In this second case, does the controller need to notify the supervisory authority? Even if there is no evidence of a breach because no man in the middle attack was detected?










share|improve this question







New contributor



Simon is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.



























    1















    In Art. 33, the GDPR specifies that a controller must notify a personal data breach to the supervisory authority after having become aware of it.



    Case 1: A database dump with personal data is hosted for a period of time on a server that is accessible from the internet. The file can be downloaded without authentication from anyone knowing the url.

    The controller has no evidence of someone downloading the file because the web server hosting the file keeps no logs, or not all logs for the full period of time that file was available for download are kept on the server because they get automatically rotated.



    In this case, does the controller need to notify the supervisory authority? Even if there is no evidence of a breach?



    Case 2: say a web application available from the internet grants access to some users to sensitive personal data. This is the primary use case for this web app. The website uses https to encrypt data in transit. For some configuration error on the web server, https gets disabled and all traffic to this website is in clear for a period of time.



    In this second case, does the controller need to notify the supervisory authority? Even if there is no evidence of a breach because no man in the middle attack was detected?










    share|improve this question







    New contributor



    Simon is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.























      1












      1








      1








      In Art. 33, the GDPR specifies that a controller must notify a personal data breach to the supervisory authority after having become aware of it.



      Case 1: A database dump with personal data is hosted for a period of time on a server that is accessible from the internet. The file can be downloaded without authentication from anyone knowing the url.

      The controller has no evidence of someone downloading the file because the web server hosting the file keeps no logs, or not all logs for the full period of time that file was available for download are kept on the server because they get automatically rotated.



      In this case, does the controller need to notify the supervisory authority? Even if there is no evidence of a breach?



      Case 2: say a web application available from the internet grants access to some users to sensitive personal data. This is the primary use case for this web app. The website uses https to encrypt data in transit. For some configuration error on the web server, https gets disabled and all traffic to this website is in clear for a period of time.



      In this second case, does the controller need to notify the supervisory authority? Even if there is no evidence of a breach because no man in the middle attack was detected?










      share|improve this question







      New contributor



      Simon is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      In Art. 33, the GDPR specifies that a controller must notify a personal data breach to the supervisory authority after having become aware of it.



      Case 1: A database dump with personal data is hosted for a period of time on a server that is accessible from the internet. The file can be downloaded without authentication from anyone knowing the url.

      The controller has no evidence of someone downloading the file because the web server hosting the file keeps no logs, or not all logs for the full period of time that file was available for download are kept on the server because they get automatically rotated.



      In this case, does the controller need to notify the supervisory authority? Even if there is no evidence of a breach?



      Case 2: say a web application available from the internet grants access to some users to sensitive personal data. This is the primary use case for this web app. The website uses https to encrypt data in transit. For some configuration error on the web server, https gets disabled and all traffic to this website is in clear for a period of time.



      In this second case, does the controller need to notify the supervisory authority? Even if there is no evidence of a breach because no man in the middle attack was detected?







      gdpr






      share|improve this question







      New contributor



      Simon is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.










      share|improve this question







      New contributor



      Simon is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.








      share|improve this question




      share|improve this question






      New contributor



      Simon is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.








      asked 9 hours ago









      SimonSimon

      1062 bronze badges




      1062 bronze badges




      New contributor



      Simon is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.




      New contributor




      Simon is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.

























          1 Answer
          1






          active

          oldest

          votes


















          4














          The GDPR gives controllers a lot of latitude. They must decide on the correct course of action taking into account the possible risks to data subjects. Specifically, no notification of the authority is necessary if “the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.”



          In your scenario 1, you suggest that there is no breach because there is no evidence that the data was improperly accessed.



          This analysis is faulty: the controller is aware that the data was not properly secured, and cannot rule out that the data was improperly accessed. I would argue this fits the description of a “breach of security leading to the accidental or unlawful … unauthorised disclosure of … personal data” (compare the definition of a data breach in Art 4(12)). Thus, a data breach has happened.



          The question whether the supervisory authority has to be notified of that breach is more debatable. The controller must assess the likelihood of risks to the data subjects. Here, they can perhaps argue that the risk of disclosure is low. However, the nature of the breached data would also be relevant.



          If in doubt, the controller should make the notification. The goal of the GDPR is not to punish unlucky companies that suffer a breach, but to protect personal data. Thus, fixing mistakes and cooperating with the supervisory authorities is likely the best approach for most companies.



          In your second scenario, the data is sensitive – its disclosure has a high risk for data subjects. However, the risk of someone intercepting this data is debatable. Does the risk of interception balance out the sensitivity of the data? That's the data controller's call, but I don't think so. A notification would seem appropriate here.



          As a technical remark, simply offering HTTPS is not sufficient to prevent MitM attacks – users must be forced to use encrypted connections. If a controller sees MitM as a risk, they are required by Art 24 to take appropriate technical measures. Here HSTS and HSTS preload would prevent the connections from being downgraded to HTTP. Instead of offering insecure connections, the site would become inaccessible. A complementary strategy is to not serve content over HTTP, but have the HTTP server only issue a permanent redirect to the HTTPS URL.






          share|improve this answer



























            Your Answer








            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "617"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader:
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            ,
            noCode: true, onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );






            Simon is a new contributor. Be nice, and check out our Code of Conduct.









            draft saved

            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2flaw.stackexchange.com%2fquestions%2f43356%2fgdpr-compliance-notification-of-data-breach%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            4














            The GDPR gives controllers a lot of latitude. They must decide on the correct course of action taking into account the possible risks to data subjects. Specifically, no notification of the authority is necessary if “the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.”



            In your scenario 1, you suggest that there is no breach because there is no evidence that the data was improperly accessed.



            This analysis is faulty: the controller is aware that the data was not properly secured, and cannot rule out that the data was improperly accessed. I would argue this fits the description of a “breach of security leading to the accidental or unlawful … unauthorised disclosure of … personal data” (compare the definition of a data breach in Art 4(12)). Thus, a data breach has happened.



            The question whether the supervisory authority has to be notified of that breach is more debatable. The controller must assess the likelihood of risks to the data subjects. Here, they can perhaps argue that the risk of disclosure is low. However, the nature of the breached data would also be relevant.



            If in doubt, the controller should make the notification. The goal of the GDPR is not to punish unlucky companies that suffer a breach, but to protect personal data. Thus, fixing mistakes and cooperating with the supervisory authorities is likely the best approach for most companies.



            In your second scenario, the data is sensitive – its disclosure has a high risk for data subjects. However, the risk of someone intercepting this data is debatable. Does the risk of interception balance out the sensitivity of the data? That's the data controller's call, but I don't think so. A notification would seem appropriate here.



            As a technical remark, simply offering HTTPS is not sufficient to prevent MitM attacks – users must be forced to use encrypted connections. If a controller sees MitM as a risk, they are required by Art 24 to take appropriate technical measures. Here HSTS and HSTS preload would prevent the connections from being downgraded to HTTP. Instead of offering insecure connections, the site would become inaccessible. A complementary strategy is to not serve content over HTTP, but have the HTTP server only issue a permanent redirect to the HTTPS URL.






            share|improve this answer





























              4














              The GDPR gives controllers a lot of latitude. They must decide on the correct course of action taking into account the possible risks to data subjects. Specifically, no notification of the authority is necessary if “the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.”



              In your scenario 1, you suggest that there is no breach because there is no evidence that the data was improperly accessed.



              This analysis is faulty: the controller is aware that the data was not properly secured, and cannot rule out that the data was improperly accessed. I would argue this fits the description of a “breach of security leading to the accidental or unlawful … unauthorised disclosure of … personal data” (compare the definition of a data breach in Art 4(12)). Thus, a data breach has happened.



              The question whether the supervisory authority has to be notified of that breach is more debatable. The controller must assess the likelihood of risks to the data subjects. Here, they can perhaps argue that the risk of disclosure is low. However, the nature of the breached data would also be relevant.



              If in doubt, the controller should make the notification. The goal of the GDPR is not to punish unlucky companies that suffer a breach, but to protect personal data. Thus, fixing mistakes and cooperating with the supervisory authorities is likely the best approach for most companies.



              In your second scenario, the data is sensitive – its disclosure has a high risk for data subjects. However, the risk of someone intercepting this data is debatable. Does the risk of interception balance out the sensitivity of the data? That's the data controller's call, but I don't think so. A notification would seem appropriate here.



              As a technical remark, simply offering HTTPS is not sufficient to prevent MitM attacks – users must be forced to use encrypted connections. If a controller sees MitM as a risk, they are required by Art 24 to take appropriate technical measures. Here HSTS and HSTS preload would prevent the connections from being downgraded to HTTP. Instead of offering insecure connections, the site would become inaccessible. A complementary strategy is to not serve content over HTTP, but have the HTTP server only issue a permanent redirect to the HTTPS URL.






              share|improve this answer



























                4












                4








                4







                The GDPR gives controllers a lot of latitude. They must decide on the correct course of action taking into account the possible risks to data subjects. Specifically, no notification of the authority is necessary if “the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.”



                In your scenario 1, you suggest that there is no breach because there is no evidence that the data was improperly accessed.



                This analysis is faulty: the controller is aware that the data was not properly secured, and cannot rule out that the data was improperly accessed. I would argue this fits the description of a “breach of security leading to the accidental or unlawful … unauthorised disclosure of … personal data” (compare the definition of a data breach in Art 4(12)). Thus, a data breach has happened.



                The question whether the supervisory authority has to be notified of that breach is more debatable. The controller must assess the likelihood of risks to the data subjects. Here, they can perhaps argue that the risk of disclosure is low. However, the nature of the breached data would also be relevant.



                If in doubt, the controller should make the notification. The goal of the GDPR is not to punish unlucky companies that suffer a breach, but to protect personal data. Thus, fixing mistakes and cooperating with the supervisory authorities is likely the best approach for most companies.



                In your second scenario, the data is sensitive – its disclosure has a high risk for data subjects. However, the risk of someone intercepting this data is debatable. Does the risk of interception balance out the sensitivity of the data? That's the data controller's call, but I don't think so. A notification would seem appropriate here.



                As a technical remark, simply offering HTTPS is not sufficient to prevent MitM attacks – users must be forced to use encrypted connections. If a controller sees MitM as a risk, they are required by Art 24 to take appropriate technical measures. Here HSTS and HSTS preload would prevent the connections from being downgraded to HTTP. Instead of offering insecure connections, the site would become inaccessible. A complementary strategy is to not serve content over HTTP, but have the HTTP server only issue a permanent redirect to the HTTPS URL.






                share|improve this answer













                The GDPR gives controllers a lot of latitude. They must decide on the correct course of action taking into account the possible risks to data subjects. Specifically, no notification of the authority is necessary if “the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.”



                In your scenario 1, you suggest that there is no breach because there is no evidence that the data was improperly accessed.



                This analysis is faulty: the controller is aware that the data was not properly secured, and cannot rule out that the data was improperly accessed. I would argue this fits the description of a “breach of security leading to the accidental or unlawful … unauthorised disclosure of … personal data” (compare the definition of a data breach in Art 4(12)). Thus, a data breach has happened.



                The question whether the supervisory authority has to be notified of that breach is more debatable. The controller must assess the likelihood of risks to the data subjects. Here, they can perhaps argue that the risk of disclosure is low. However, the nature of the breached data would also be relevant.



                If in doubt, the controller should make the notification. The goal of the GDPR is not to punish unlucky companies that suffer a breach, but to protect personal data. Thus, fixing mistakes and cooperating with the supervisory authorities is likely the best approach for most companies.



                In your second scenario, the data is sensitive – its disclosure has a high risk for data subjects. However, the risk of someone intercepting this data is debatable. Does the risk of interception balance out the sensitivity of the data? That's the data controller's call, but I don't think so. A notification would seem appropriate here.



                As a technical remark, simply offering HTTPS is not sufficient to prevent MitM attacks – users must be forced to use encrypted connections. If a controller sees MitM as a risk, they are required by Art 24 to take appropriate technical measures. Here HSTS and HSTS preload would prevent the connections from being downgraded to HTTP. Instead of offering insecure connections, the site would become inaccessible. A complementary strategy is to not serve content over HTTP, but have the HTTP server only issue a permanent redirect to the HTTPS URL.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered 7 hours ago









                amonamon

                1,7903 silver badges11 bronze badges




                1,7903 silver badges11 bronze badges























                    Simon is a new contributor. Be nice, and check out our Code of Conduct.









                    draft saved

                    draft discarded


















                    Simon is a new contributor. Be nice, and check out our Code of Conduct.












                    Simon is a new contributor. Be nice, and check out our Code of Conduct.











                    Simon is a new contributor. Be nice, and check out our Code of Conduct.














                    Thanks for contributing an answer to Law Stack Exchange!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid


                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.

                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2flaw.stackexchange.com%2fquestions%2f43356%2fgdpr-compliance-notification-of-data-breach%23new-answer', 'question_page');

                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    Canceling a color specificationRandomly assigning color to Graphics3D objects?Default color for Filling in Mathematica 9Coloring specific elements of sets with a prime modified order in an array plotHow to pick a color differing significantly from the colors already in a given color list?Detection of the text colorColor numbers based on their valueCan color schemes for use with ColorData include opacity specification?My dynamic color schemes

                    Invision Community Contents History See also References External links Navigation menuProprietaryinvisioncommunity.comIPS Community ForumsIPS Community Forumsthis blog entry"License Changes, IP.Board 3.4, and the Future""Interview -- Matt Mecham of Ibforums""CEO Invision Power Board, Matt Mecham Is a Liar, Thief!"IPB License Explanation 1.3, 1.3.1, 2.0, and 2.1ArchivedSecurity Fixes, Updates And Enhancements For IPB 1.3.1Archived"New Demo Accounts - Invision Power Services"the original"New Default Skin"the original"Invision Power Board 3.0.0 and Applications Released"the original"Archived copy"the original"Perpetual licenses being done away with""Release Notes - Invision Power Services""Introducing: IPS Community Suite 4!"Invision Community Release Notes

                    199年 目錄 大件事 到箇年出世嗰人 到箇年死嗰人 節慶、風俗習慣 導覽選單