The most important facts at a glance
- In the event of a data breach, a report must be made to the supervisory authority within 72 hours.
- Swift and professional action can prevent high fines (up to EUR 20 million) and reputational damage.
- Legally sound documentation and communication are crucial for damage limitation.
Data protection breach - what now?
A data breach can affect any company and presents those responsible with major challenges. As Data protection lawyers We regularly assist companies through such critical situations. Whether it's a lost USB stick with customer data, a misdirected email with sensitive information, or a hacker attack on your systems – the professional handling of such incidents determines the legal and economic consequences.
The legal classification of a data breach
A data breach occurs when a security violation leads to the destruction, loss, alteration, or unauthorized disclosure of personal data. It is irrelevant whether the incident occurred unintentionally or as a result of intentional action. The legal assessment must be carried out immediately, as further action obligations arise from it.
Reporting obligations and deadlines
EU data protection law provides for a strict reporting obligation: a personal data breach must be reported to the competent supervisory authority within 72 hours of becoming aware of it. This deadline also applies on weekends and public holidays. An exception only applies if the breach is unlikely to result in a risk to the rights and freedoms of the data subjects.
Professional Crisis Management
The first step in a data breach is the comprehensive documentation of the incident. All relevant information must be recorded: When was the incident discovered? Which data is affected? Which systems were compromised? This information is not only important for reporting to the supervisory authority but also for later evidence preservation.
Communication with Affected Parties
If there is a high risk to personal rights and freedoms, the affected individuals must also be informed immediately. Communication must be transparent, but at the same time, legally secure. Incorrectly formulated information can carry further legal risks and should therefore be legally reviewed.
Immediate technical and organizational measures
Following the discovery of a data breach, technical protective measures must be initiated immediately. This includes isolating affected systems, changing access credentials, and securing evidence through IT forensics. In parallel, the internal organization must be adapted to prevent further incidents.
Legal consequences of misconduct
Failure to comply with reporting requirements can have serious consequences. The GDPR provides for fines of up to 10 million euros or 2% of global annual revenue. In addition, there may be claims for damages from data subjects and significant reputational damage.
Prevention and Future Security
The best strategy for handling data breaches is prevention. This includes regular employee training, implementing technical security measures, and establishing clear processes for emergencies.
Frequently asked questions
A reportable data breach occurs when personal data has been unlawfully disclosed, altered, or lost due to a security incident, and this may pose a risk to the rights and freedoms of the affected individuals.
The reporting obligation depends on the risk to those affected. The nature, scope, and context of the data concerned, as well as the potential consequences of the breach, are crucial.
The notification is made to the responsible data protection supervisory authority of the federal state in which your company is based.
The notification must include a description of the incident, the type of data affected, the number of people affected, the measures already taken, and the contact details of a point of contact.
Information from the data subject is required when there is a high risk to their rights and freedoms, for example, when particularly sensitive data is disclosed.
The notification must be made „immediately“. Unlike the official notification, there is no rigid 72-hour deadline.
In addition to high fines, those affected may face claims for damages and significant reputational damage.
By implementing a data protection management system, conducting regular employee training, and creating emergency plans.
Data processors must immediately report data breaches to the data controller so that the controller can fulfill their reporting obligations.
The documentation must include all facts about the incident, the impact assessment, and the measures taken. This documentation must be kept for five years.
German 
English