European Data Protection Supervisor
European Data Protection Supervisor

Personal Data Breach

Personal Data Breach

From 12 December 2018, under Regulation (EU) 1725/2018 all European institutions and bodies have a duty to report certain types of personal data breaches to the EDPS. Every EU institution must do this within 72 hours of becoming aware of the breach, where feasible. If the breach is likely to pose a high risk of adversely affecting individuals’ rights and freedoms, the EU Institution must also inform the  individuals concerned without unnecessary delay.

EU Institutions must ensure that they have prevention and detection mechanisms in place for personal data breaches, as well as investigation and internal reporting procedures. They must also ensure that when they identify a personal data breach, they are able to respond effectively to mitigate the negative effects of the breach on the individuals whose data has been compromised. They must also keep a record of all personal data breaches, including all details about the breach, regardless of any notification obligation to the EDPS.

How should EU institutions and bodies respond to a personal data breach?

The EDPS has published Guidelines on personal data breach notification for the EU Institutions and Bodies. These provide practical advice on how to comply with the Regulation. The guidelines outline the approach that you should take in order to adequately respond to a personal data breach. We advise you to carefully read these guidelines before notifying a personal data breach.

How to report a personal data breach to the EDPS

You can report a personal data breach either by filling in the online form or by downloading the form and sending it to the following email address:  DATA-BREACH-NOTIFICATION@edps.europa.eu.

All communication must be encrypted. Therefore, when sending an email about a personal data breach to the EDPS data breach notification email address, any attachments must be encrypted (zip) and the password shared with the EDPS by alternate means (by text message or telephone call). Please include a separate telephone number in your email which we can use to contact you for the password.

If for any reason your initial notification was incomplete, you should submit further information when it becomes available. In this case, please submit a new notification form indicating the Case Reference number provided by the EDPS.

If you send updated notifications to the functional mailbox, please include the following information in the subject line of the email: [Updated Breach Notification] [EU institution/body Name] [Case Reference number]

Data Protection Notice