DATA 9 NOTIFICATION OF PERSONAL DATA BREACHES

For the purposes of Article 31 of the Regulations, the notification of a Personal Data Breach must at least:

(A) describe the nature of the Personal Data Breach including:
(i) the categories of Data Subjects affected;
(ii) the approximate number of Data Subjects affected;
(iii) the categories and approximate number of Personal Data records affected;
(B) give the name and contact details of a person from whom more information can be obtained;
(C) describe the likely consequences of the Personal Data Breach;
(D) describe the measures that the Data Controller has taken or proposes to take to address the consequences of the Personal Data Breach, including, if appropriate, measures to mitigate its possible adverse effects;
(E) if the notification is not made within 72 hours after becoming aware of the Personal Data Breach, give reasons for the delay.