Skip to main content

Article 20 — Communication of Breach to Data Subjects

  1. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
  2. The communication to the data subject referred to in paragraph 1 shall describe in clear and plain language the nature of the personal data breach and shall contain at least:
    1. the name and contact details of the data protection officer or other contact point from whom more information can be obtained;
    2. a description of the likely consequences of the personal data breach;
    3. a description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects;
    4. recommendations for the data subject to take in order to protect himself or herself against the potential consequences of the breach, including, where relevant, the changing of passwords, the monitoring of accounts, or the exercise of rights under Title II of this Code.
  3. The communication to the data subject referred to in paragraph 1 shall not be required where any of the following conditions is met:
    1. the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
    2. the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise;
    3. the communication would involve disproportionate effort, in which case there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
  4. Where the controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require the controller to do so or may decide that any of the conditions referred to in paragraph 3 is met.
  5. Given the digital-first nature of the Principality of Kaharagia, communications to data subjects under this Article shall be transmitted through the same electronic channels by which the controller ordinarily communicates with the data subject, and shall additionally be made available through the controller's primary electronic interface, where one exists.