Personal data breaches in the context of the new EDPB 01/2021 guidelines on examples regarding data breach notification and the ENISA Threat Landscape (ETL) report 2021 – Privacy


To print this article, all you need to do is be registered or log in to

Over the past two years, we have seen significant progress in the way the business world operates in a fully or semi-digital environment, which has undeniably been driven by, among other factors, the global COVID pandemic. -19. As a result of changes in their business model, many companies found themselves in a situation of continuous information security threats that exposed
the vulnerabilities of their IT systems, assets and overall operations, as well as the management of their human resources.

According to the European Union Agency for Cybersecurity (ENISA) Threat Landscape Report (ETL) 2021, the main threats identified during the period April 2020 to July 2021 are ransomware, software malware, cryptojacking, email threats, data threats, availability and integrity threats, misinformation – misinformation, non-malicious threats and supply chain attacks1. In total, personal data (50%) is among the most disclosed data. Among the mitigation techniques reported were the discovery and classification of sensitive/personal data and the application of encryption measures to this data in transit and at rest.

Along the same lines, it’s important to point out that in 2020 and 2021 there was a spike in non-malicious incidents, as apparently the COVID-19 pandemic increased human errors and misconfigurations of the system, leading to most breaches in 2020 being caused by errorsaccording to the aforementioned source.

Similarly, the International Association of Privacy Professionals (IAPP)-Ernst & Young (EY) 2021 Privacy Governance Annual Report indicates that half of publicly traded companies include privacy issues in disclosures. and reports; most said compliance and data breach risks are flagged 2.

Fig. 13

On the other hand, the most commonly used metrics to measure/benchmark the performance of privacy programs are incident response metrics 4.

Figure 25


As a result, ever-evolving cyberattacks, the impact of breaches based on human error, and the lack of properly designed and implemented incident response policies, procedures, and controls for many organizations often results in loss. significant economic consequences as a direct result of the threat. himself6 and/or as liability for failure to comply with the requirements of applicable law. Member State supervisory authorities may impose a fine of up to EUR 10,000,000 or, in the case of a company, up to 2% of the total worldwide annual turnover of the previous financial year in the event of failure to comply with the personal data breach notification requirements under the General Data Protection Regulation (GDPR). On December 28, 2021, the CNIL’s restricted commission imposed a fine of €180,000 on SLIMPAY, an approved payment institution, for insufficient protection of users’ personal data and failure to inform them of a data breach.7. Another recent example is the €80,000 fine imposed on Bank Millennium by the Polish UODO for failing to provide proper notification of the breach and data subjects of a personal data incident in 20218. In 2019, hackers stole the personal data of around 6 million Bulgarian nationals and foreigners in an unprecedented attack on the National Revenue Agency, mainly due to the lack of technical and organizational security measures adequate, according to the investigation by the Bulgarian Supervisory Authority.9. In addition, at the beginning of 2022, the Bulgarian Registration Agency published the home addresses of 300,000 self-employed professionals as well as additional information about them that is not strictly related to their professional activities. Even if the national authorities are still debating the existence of a technical problem which led to such a disclosure or of an inappropriate decision taken, such an action goes against the principles of processing of personal data established under the GDPR.

To sweeten the cake, the exposure to reputational damage and compensation claims from those affected could further add to the bill and often overweight the administrative penalties.

In December 2021, the European Data Protection Board (EDPB) updated its guidelines on personal data breach examplesten. The EDPB draws attention to the fact that data breaches are problems in themselves, but are at the same time symptoms of organizational and/or systemic vulnerabilities or weaknesses that could expose companies to regulatory, civil or of reputation.

The document reiterates the main obligations of data controllers and processors with regard to data breaches and provides important guidance on the appropriate measures to take in the most common cases of security incidents. The EDPS Guidelines 01/2021 are intended to complement the previous EDPS Guidelines on personal data breach notification under Regulation 2016/679, WP 250, adopted in 2017.

The guidelines examine in detail different scenarios of ransomware, data exfiltration attacks, insider human risk source incidents, lost or stolen devices and paper documents, mis-sending and other threads. , outlining the prior measures and risk assessment and mitigation and the obligations of the controller or processor. The necessary actions to be taken are based on the identified risks and vulnerabilities, which are specific to a particular business and its operation, and may include the preparation of internal documentation, notification to the competent supervisory authority and communication to persons concerned.

As next steps, it is advised that personal data controllers and processors are reviewing and updating their policies, procedures and internal controls in light of new EDPB guidelines and industry best practices. This is particularly important given the rather short deadline that the GDPR has established for the notification of a data breach to the competent supervisory authority in this regard, namely 72 hours after becoming aware of it. Furthermore, even if an organization is not obliged to appoint a DPO, it is recommended to select a specific person from its staff who will be responsible for ensuring the proper assessment, documentation and, if necessary, notification of the competent data protection authority.

In addition, these internal policies and procedures should be drafted taking into account not only the provisions of applicable data protection laws, but also other specific legal requirements that may apply. For example, some member state cybersecurity laws impose additional notification obligations on digital service providers and operators of essential services which, in some cases, introduce even tighter deadlines than those provided by the GDPR.







6. In 2020, Portuguese energy company EDP was sued for $10.9 million by hackers following an attack that threatened to leak a large amount of private customer and financial information.





The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.


About Author

Comments are closed.