There are no requirements for Data Controllers to notify the INAI in the event of a data breach (other than Data Controllers which are government entities). However, Data Controllers must notify data subjects if their personal data is subject to a breach with at least the following information:
- nature of the breach;
- the personal data compromised;
- recommendations of actions that may be taken by the data subject to protect its interests;
- immediate measures being taken by the data controller; and
- any means by which the individual can find further information regarding the matter.
Two types of data breaches must be notified to the CNPD:
Data breaches under the GDPR. Controllers shall notify data breaches to the CNPD within 72 hours after becoming aware of it if it is likely to result in a risk to the rights and freedoms of natural persons. In case of a high risk, the controller shall also communicate the personal data breach to the data subject without undue delay.
Data breaches in the electronic communications sector. In accordance with the European Commission regulation (EU) No. 611/2013 of 24 June 2013, which entered into force on 25 August 2013, providers of publicly available electronic communications services, such as fixed or mobile telephone companies or Internet service providers, must notify the CNPD within 24 hours after the detection of a personal data breach and inform their subscribers if the incident is likely to adversely affect their privacy and data protection.
Organisations are required to assess whether a data breach is notifiable, and to notify the affected individual(s) (where required) and/or the PDPC where the data breach is assessed to be notifiable. A data breach is assessed to be notifiable where:
- the scale of the data breach is of a significant scale, i.e. where it involves the personal data of 500 or more individuals; or
- the data breach causes significant harm to affected individual(s) where the compromised personal data relates to:
- the individual’s full name or alias or identification, in combination with: (a) financial information that is not publicly disclosed; (b) identification of vulnerable individuals; (c) life, accident and health insurance information that is not publicly disclosed; (d) specified medical information; or (e) information related to adoption matters; or (f) private key used to authenticate or sign an electronic record or transaction; or
- individual’s account identifier and data for access into the account.
Organisations must notify the PDPC as soon as practicable, but no later than 72 hours after it makes the assessment that a data breach is notifiable. Where required to notify the affected individual(s), the notification by organisations must be as soon as practicable (at the same time or after notifying the PDPC).
In addition, data intermediaries that process personal data on behalf of and for the purposes of another organisation or a public agency are not required to assess whether the breach is notifiable or to notify the PDPC, but are required to notify that other organisation or public agency when a potential or actual data breach is detected without undue delay.
Sector specific regulation, such as the Notices and Guidelines on Technology Risk Management issued by the Monetary Authority of Singapore, may also require breach notification under different timelines.