Conference presentation
Open access

Be Aware of the Data Breach Notification

ContributorsHirsch, Célianorcid
Presented atCyberspace conference, Privacy and Personal Data, Brno, 27.11.2021
Publication date2021-11-27
Presentation date2021-11-27

Article 33 par. 1 GDPR provides that "in the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons." This legal duty to notify almost every personal data breach raises several issues and questions. I will focus on the main one: when does the 72-hour notice requirement start? The text says that the time period starts when the controller becomes "aware" of the data breach. According to the WP29, the controller is "aware" when he "has a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised." In its decision against Marriott, the Information Commissioner's Office had a different view and held that the controller becomes "aware" when he is "able reasonably to conclude that it is likely a personal data breach has occurred." Furthermore, in its decision against Twitter, the Irish Data Protection Commission that the time period starts when Twitter should have known that a data breach occurred, and not when it effectively became aware of it. The starting point of the 72-hour notice requirement has a very practical importance. For example, the Dutch Data Protection Authority recently imposed a fine of €475,000 on Booking.com for reporting a data breach 22 days too late. The main issue, in this case, was when Booking did become aware of the breach. My presentation will focus on what it means to become "aware" of a personal data breach, by analysing several examples and discussing the main issues therein. I will also discuss from a practical perspective how a controller may meet the burden of proof that it has timely satisfied the 72-hour notice requirement.

Citation (ISO format)
HIRSCH, Célian. Be Aware of the Data Breach Notification. In: Cyberspace conference. Brno. 2021.
Main files (1)
  • PID : unige:158897

Technical informations

Creation02/10/2022 8:52:00 AM
First validation02/10/2022 8:52:00 AM
Update time03/16/2023 2:39:35 AM
Status update03/16/2023 2:39:34 AM
Last indexation05/06/2024 9:55:41 AM
All rights reserved by Archive ouverte UNIGE and the University of GenevaunigeBlack