A controller must promptly notify persons of a breach of their personal data protection if their data is subject to a breach if an incident could cause a high risk of violating their rights or freedoms.

The notification of the data subjects must include, among other things, a description of the possible consequences of violating data protection and the means applied and proposed by the controller to remedy a breach. 

In addition, the occurrence of an incident triggers the controller’s duties involving the submission of a notification on the breach to the President of the Personal Data Protection

Office and recording the incident in the internal records of breaches. 
Since a duty of notifying data subjects of an incident only takes place when the risk of violating their rights or freedoms is high, it is necessary to conduct a thorough risk evaluation in each instance. 

We recommend the implementation of procedures on how to proceed in the event of a breach of data protection. A properly designed procedure will make it possible to define the level of risk of breaching the rights and freedoms of natural persons and undertake the commensurate actions. As a consequence, the probability of imposing a cash fine on the controller will be mitigated. 

Find more in the PRO HR August 2021.