When and for what purpose the personal data breach shall be communicated to the data subject?
In accordance with Article 34 (1) GDPR „When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.” The abovementioned provision stipulates that the controller will be obliged to communicate the personal data breach to the data subject if the two following conditions will simultaneously met. Firstly, the personal data breach must occur. Secondly, the personal data breach must be likely to result in a high risk to the rights and freedoms of data subject, for example when the breach may lead to discrimination, identity theft, fraud, financial loss or damage to the reputation. When the breach involves sensitive data, such breach should be considered likely to occur. The personal data breach must be likely to result in a high risk to the rights and freedoms of data subject, regardless of whether the breach of the rights and freedoms of data subject will in fact occur or not.
GDPR provisions require to communicate the personal data breach to the data subject “without undue delay”. It means that the controller shall fulfil this obligation as soon as possible, taking into account the circumstances of the particular personal data breach. It should be assumed that the higher is the risk to the rights and freedoms of data subjects, the sooner communication shall be made, as indicated in Recital 86 GDPR. Timely communication will help individuals to take steps to protect themselves from any negative consequences of the breach. An example can be the bank passwords leakage, in case of which reaction of the bank shall be immediate.
