When the notification of a personal data breach to the President of the PDPO shall not be required?
Article 33 (1) GDPR states that when ”the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons” the controller is not obliged to notify the breach to the supervisory authority.
Under Article 33 GDPR, not all personal data breaches are related to the breaches of rights and freedoms of natural persons. The notification obligation, referred to in abovementioned article, concerns only those breaches which are likely to result in a high risk to the rights and freedoms of natural persons.
An analysis of each situation shall be conducted with reflection and caution. Change of any of the key elements may lead to a different conclusion. If, in the situation described in Example II, it later becomes evident that the encryption key was compromised or that the encryption software or algorithm is vulnerable, then the risk to the rights and freedoms of natural persons will change and thus notification to the President of the Personal Data Protection Office may now be required. Also when the breach occurs and the controller has no adequate backup of the personal data, such incident shall be considered as a loss of availability being a risk to the rights and freedoms of natural persons and shall be notified to the supervisory authority.