Personal data breaches: guidelines to support data controllers released


The Spanish Data Protection Authority (AEPD) has just released a tool to help data controllers decide whether to communicate or not a data breach to data subjects.

‘Comunica-Brecha RGPD’ aims to promote transparency and accountability among controllers and allow data subjects impacted by a security breach to know when their rights and freedoms may be at risk.

With such a resource, any organization can assess their obligation to inform natural persons affected by a security breach of personal data, as established in article 34 of the General Data Protection Regulation (GDPR).

The tool is free and easy to use and is based on a short form whose responses can indicate if there is a risk associated with a security breach. Once its execution is completed, the information and data provided during its completion are eliminated and so the DPA cannot keep track of the information that has been provided. In no case does the DPA store the data entered during the process. The DPA reminds that the tool is an aid to decisionmaking, but the final decision inevitably corresponds to the data controller and in no case its use represents the opinion of the DPA on the application of art. 34 of the GDPR for a specific security breach.

When completing the form, and depending on the information that has been provided, the tool offers as a response three possible scenarios: that the data subjects should be notified of the security breach when a high risk is identified; that such communication is not necessary, or that the level of risk cannot be determined.

The use of this tool does not replace in any case the necessary assessment of the level of risk by the controller, who is the one who best knows the details of the personal data processing carried out, the characteristics of the data subjects, the circumstances of the security breach and the rest of the factors that allow to obtain an accurate risk assessment. Similarly, the DPA reminds that the use of the tool to facilitate decisionmaking related to the obligation to communicate security breaches to the subjects is independent of the obligation to notify said breach to the supervisory authority.


Article provided by: Belén Arribas (Spain)



Discover more about INPLP, the INPLP-Members and the GDPR-FINE database

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.