What kind of the personal data breach shall be entered into the internal register of breaches?
Article 33(5) GDPR imposes on the controllers the obligation to document any personal data breaches, therefore to establish an internal register of breaches. The wording “any”, used in the abovementioned article means that the register shall include any personal data breaches meeting the criteria specified in Article 4(12) GDPR. The controllers are encouraged to establish the internal registers of breaches regardless of whether or not a breach needs to be notified to the supervisory authority. The register shall include notifiable breaches as well as non-notifiable breaches that not require notification to the supervisory authority because it is unlikely to result in a risk to individuals’ rights and freedoms.
Under Article 33(5) GDPR the controller shall document any personal data breaches, comprising the facts relating to the personal data breach, what took place and the personal data affected. It should also include the effects and consequences of the breach, along with the remedial action taken by the controller.
Keeping record is linked to the accountability principle of the GDPR, contained in Article 5(2) GDPR and also relates to the controller’s obligations under Article 24 GDPR. As indicated in Article 33(5) second sentence GDPR, the supervisory authority may request an access to the documentation (register) and that documentation shall enable the supervisory authority to verify compliance with GDPR with regard to this obligations.
In addition to these details, WP29 emphasises that if the controller will decide not to notify the breach, a justification for that decision should be documented, including reasons why the controller considers the breach is unlikely to result in a risk to the rights and freedoms of individuals
WP29 indicates that the controller may choose to document breaches as part of if its record of processing activities which is maintained pursuant to Article 30 GDPR. A separate register is not required, provided the information relevant to the breach is clearly identifiable as such and can be extracted upon request.
It should be noted that failure to properly document a breach can lead to the supervisory authority exercising its powers under Article 58 GDPR or imposing an administrative fine in accordance with Article 83 GDPR.
