Data Protection Act 2018

86

Notification of personal data breach to Commission, etc.

86. (1) Subject to subsection (3), where a personal data breach occurs, the controller shall, without undue delay and where feasible within 72 hours of becoming aware of the breach, notify the Commission of the breach.

(2) Where a controller does not notify the Commission under subsection (1) of a personal data breach within 72 hours of becoming aware of the breach, the controller shall include in the notification the reason for not so notifying.

(3) Subsection (1) shall not apply where, taking into account the nature of the personal data and the scope, context and purposes of the processing, the personal data breach is unlikely to result in a risk to the rights and freedoms of data subjects.

(4) A notification under subsection (1) shall include—

(a) a description of the personal data breach, including, where possible the categories and number, or approximate number, of—

(i) data subjects concerned, and

(ii) personal data records concerned,

(b) a description of the likely consequences of the personal data breach,

(c) a description of the measures taken or proposed to be taken by the controller to address the personal data breach, including any measures taken or proposed to be taken to mitigate its possible adverse effects, and

(d) the name and contact details of the controller’s data protection officer (if any) or other point of contact.

(5) Where, at the time of the making of a notification under subsection (1), it is not possible for a controller to include in the notification all the information specified in subsection (4) in relation to the personal data breach concerned, the controller shall—

(a) nevertheless make the notification including such information as is possible to include at that time, and

(b) supply the Commission with such information specified in subsection (4) as is outstanding without undue delay.

(6) A controller shall create and maintain a detailed record in writing of a personal data breach, including a description of—

(a) the breach,

(b) the effects of the breach, and

(c) the measures taken to address the breach, including any measures taken to mitigate its possible adverse effects.

(7) A controller shall, where so requested by the Commission, provide a copy of a record created and maintained under subsection (6) to the Commission.

(8) Where a personal data breach involves personal data that have been transmitted—

(a) by a controller in the State to a controller in another Member State, or

(b) by a controller in another Member State to a controller in the State,

the controller in the State shall provide the controller in the other Member State with the information specified in subsection (4) without undue delay.