What is a personal data breach?
The ”personal data breach” shall be meant as a ”breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” (Article 4 (12) GDPR)
The breach occurs if the three following conditions are cumulatively met:
- the breach must concern personal data transmitted, stored or otherwise processed by the subject concerned by the breach;
- a breach must result in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data;
- a breach is a result of the violation of personal data security rules.
WP29 explains that breaches can be categorised according to the following three types:
- “Confidentiality breach” - where there is an unauthorised or accidental disclosure of, or access to, personal data.
Example: „The data has been accidentally sent to the wrong business unit or an unauthorised person.”
- “Availability breach” - where there is an accidental or unauthorised loss of access to, or destruction of, personal data.
Example I: „A device containing a copy of a controller’s customer database has been lost or stolen.”
Example II: “Data has been deleted from the database by the employee, accidentally, or by the unauthorised party, deliberately. The controller is trying to restore data from the backup, but with no result.”
- “Integrity breach” - where there is an unauthorised or accidental alteration of personal data.
Example: “The employee changes customers’ surnames, as a joke, by adding the letter “s” to the end of each surname. “
2018-08-09
