Since 2010, the Global Law Experts annual awards have been celebrating excellence, innovation and performance across the legal communities from around the world.
posted 3 years ago
In mid-December, the European Data Protection Board (EDSA) adopted the Guidelines 01/ 2021 on examples of data breach notification (the “Guidelines“) to serve as a support for how data controllers and processors must handle data protection breaches. 18 examples were inserrted for different types of attacks. The guidelines are a practical complement to the Article 29 Working Party’s (WP 29) Guidelines on Personal Data Breach Notification under Regulation (EU) 2016/679.
A data breach is a breach of security that results in the destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed, whether accidentally or unlawfully. Data breaches can be:
In such case the controller must notify the competent supervisory authority without undue delay and, if possible, within 72 hours of becoming aware of the breach. In case the breach is unlikely to result in a risk to the rights and freedoms of natural persons a notification is not required; however, an assessment shall be conducted. Based on these obligations, EDSA prepared the Guidelines.
The examples are divided into 5 main types (ransomware, data exfiltration, internal human source of risk, lost or stolen devices or paper documents, incorrect mailing) and each including the initial actions that need to be taken, a detailed risk analysis, risk mitigation measures and obligations of the responsible party.
For ransomware attacks it is relevant if a back-up exists or whether data exfiltration occurred, the volume of affected data and if special categories of data were affected. The result of the assessment for similar ransomware attacks may vary in individual cases, depending on the above mentioned aspects.
This involves unauthorized transfers of/ access to data. Relevant for the risk analysis is the extent to which the attackers had access to the relevant data. Naturally, such an attack will be handled differently against special data controllers (e.g. banks) compared to data controllers who do not hold such confidential data.
The type of personal data involved, the applied security measures etc. must be assessed. Depending on whether the data is, for example, encrypted or whether special categories of personal data are involved specific measures have to be taken.
The Guidelines are an important tool in the event of a data breach. Each breach shall be considered on a case-by-case basis and the specific situation shall be reflected in the data protection impact assessment.
Please find more detailed information under: https://stalfort.ro/wp-
Stay informed with the latest legal developments at Global Law Experts
posted 4 days ago
posted 4 days ago
posted 4 days ago
posted 5 days ago
posted 5 days ago
posted 5 days ago
posted 5 days ago
No results available
ResetFind the right Legal Expert for your business
Sign up for the latest advisor briefings and news within Global Advisory Experts’ community, as well as a whole host of features, editorial and conference updates direct to your email inbox.
Naturally you can unsubscribe at any time.
Global Advisory Experts is dedicated to providing exceptional advisory services to clients around the world. With a vast network of highly skilled and experienced advisors, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.