From 12 December 2018, under Regulation (EU) 1725/2018 all European institutions and bodies have a duty to report certain types of personal data breaches to the EDPS. Every EU institution must do this within 72 hours of becoming aware of the breach, where feasible. If the breach is likely to pose a high risk of adversely affecting individuals’ rights and freedoms, the EU Institution must also inform the individuals concerned without unnecessary delay.
EU Institutions must ensure that they have prevention and detection mechanisms in place for personal data breaches, as well as investigation and internal reporting procedures. They must also ensure that when they identify a personal data breach, they are able to respond effectively to mitigate the negative effects of the breach on the individuals whose data has been compromised. They must also keep a record of all personal data breaches, including all details about the breach, regardless of any notification obligation to the EDPS.
How should EU institutions and bodies respond to a personal data breach?
The EDPS has published Guidelines on personal data breach notification for the EU Institutions and Bodies. These provide practical advice on how to comply with the Regulation. The guidelines outline the approach that you should take in order to adequately respond to a personal data breach. We advise you to carefully read these guidelines before notifying a personal data breach.
How to report a personal data breach to the EDPS
You can report a personal data breach either by filling in the online form or by downloading the form and sending it to the following email address: DATA-BREACH-NOTIFICATION@edps.europa.eu.
All communication must be encrypted. Therefore, when sending an email about a personal data breach to the EDPS data breach notification email address, any attachments must be encrypted (zip) and the password shared with the EDPS by alternate means (by text message or telephone call). Please include a separate telephone number in your email which we can use to contact you for the password.
- If you want to report a personal data breach via our online web form, please read the user guide.
- If you want to download a the form please click here.
If for any reason your initial notification was incomplete, you should submit further information when it becomes available. In this case, please submit a new notification form indicating the Case Reference number provided by the EDPS.
If you send updated notifications to the functional mailbox, please include the following information in the subject line of the email: [Updated Breach Notification] [EU institution/body Name] [Case Reference number]
Specific rules apply to the management of data breaches on operational personal data at Europol in accordance with Articles 34 and 35 of Regulation 2016/794.
EDPS-ENISA Conference: Towards accessing the risk in personal data breaches
The European Data Protection Supervisor and ENISA organised a conference in Brussels on 4th of April 2019 about personal data breach notification.
The conference aims to address the aspect of assessing the risk of personal data breaches under the General Data Protection Regulation (GDPR) - (EU) 2016/679 and the Regulation (EU) 1725/2018 for the processing of personal data by EU Institutions and bodies.
For more information please follow this link.