, ,

Data breach notification: new procedure adopted in Italy

New procedure, new burdens and obligations

With the decision  no. 157 of July 30, 2019, the Italian Data Protection Authority (Garante) has introduced a new official model containing the minimum information required to perform a notification of a personal data breach pursuant to art. 33 of the GDPR. In the past, the Garante had already introduced specific methods and requirements for notifying a data breach in various sectors and with the new decision, the Authority has introduced standardized terms, contents and methods of notification, adding a number of burdens for the notifying entity.

What to include in the notification

The GDPR provides that in the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Likewise, the data processor who becomes aware of a possible violation is obliged to promptly inform the controller so that remediation actions can be performed (Articles 33 and 55 of the GDPR, Art. 2-bis of the Italian Privacy Code).
As a result of the aforementioned Garante’s decision nr. 157, the level of detail of a data breach notification has increased significantly, probably also in order to allow the controller to assess in a responsible manner the actual need to communicate, or not, the same violation also to the natural persons concerned, in accordance with the provisions of Article 34 of the GDPR.

Let’s see how the notification of data breach changes.
In order to perform the notification the data controller shall download the form available on the website of the Garante and fill in the following sections:

  • A. Data of the subject who makes the notification, entering the personal and contact details of the person who actually makes the notification (if appointed, this is the DPO of the holder);
  • B. Data relating to the data controller, meaning the identification data of the controller  (full name of the company, fiscal code, address, …), the contact details of the subject to be contacted for information, such as the DPO or the internal legal counsel (where a DPO has been appointed the relative protocol  number communicated by the Garante after the DPO online registration shall be inserted) and the references of other subjects involved with an indication of the role played in the breach(co-controller or processor, representative of the controller not established in the EU);
  • C. Summary information on the violation, this is one of the most critical sections as it will be necessary to indicate detailed information relating to the violation, including: the exact date on which it occurred, the time and manner in which the controller became aware of it, the reasons for the delay in case of notification beyond 72 hours (if applicable), the nature and cause of the date breach and the categories of personal data and individuals affected, with an indication of their volumes;
  • D. Detailed information on the violation, in addition to the previous section in this one details of the violation must be given, describing in particular the incident underlying the violation, the categories of data violated, the information systems and infrastructures involved in the incident, with an indication of their location and the technical and organizational security measures adopted;
  • E. Possible consequences and seriousness of the violation, this is a section that requires a prognostic effort by the controller who will be required to identify the possible impacts of the violation based on its nature and the potential negative effects for those concerned; it will also be necessary to make a reasoned estimate of the likely seriousness of the data breach;
  • F. Measures taken as a result of the breach, in which all technical and organisational countermeasures adopted to limit the impacts of the breach and of future implications shall be reported in order to prevent future incidents;
  • G. Communication to the data subjects, in this section it will be necessary to specify whether or not the violation has been communicated to data subjects in accordance with Article 34 of the GDPR, and in the event of non-communication it will be necessary to clarify the reasons for such decision;
  • H. Other information, this is a closing section in which details about the cross-border impact of the data breach and any reports already made to other authorities can be entered.

If the data controller is not in possession of all the information required by the form,  a partial notification can be performed, initiating the process even in the absence of a complete picture of the violation, subject to a subsequent supplementary notification.

How to send the notification

The notification form, once completed with the required information, must be sent to the Garante by e-mail at “protocollo@pec.gpdp.it” and must be digitally signed (with qualified electronic signature/digital signature) or with handwritten signature. In the latter case, the notification must be submitted together with a copy of the signatory’s identity document.
The notification should not include personal data concerning the subject  affected by the breach. Furthermore the subject of the message must contain the words “NOTIFICATION OF VIOLATION OF PERSONAL DATA” and, optionally, the name of the data controller.

Next steps

The new notification form requires the controller to collect a large amount of information relating to the breach. In order to be able to perform the notification, the controller must therefore ensure to have implemented appropriate organizational procedures – both internal and external aimed to the data processors – that enable the controller to promptly obtain  all the information necessary to complete the notification.
The notification procedure must be supported keeping the so-called “data breach record”: a document that has the dual function of allowing the controller to easily monitor and control all the violations of personal data occurred and allows the , to verify compliance with the obligation of timely notification.
This register should be prepared in line with the requirements of the notification form to collect all information necessary to adequately document any personal data breach, including the circumstances surrounding it, its consequences and the remediation steps undertaken.

The data breach scenario in Europe and Italy

The phenomenon of data breaches is constantly increasing in Europe. The European Data Protection Board has published a report on the state of implementation of the GDPR 9 months after its full applicability, which notes that the supervisory authorities in Europe have recorded about 64,684 notifications of data breaches, and it is reasonable to assume that since the publication of the report to date this figure has grown further. In this respect according to the World Economic Forum cyber attacks are the greatest threat to companies operating in Europe. In recent years, Europe has been the scene of a long series of major cyber attacks, the number of which increased by about a third in the first quarter of 2018, compared to the same period last year.
These estimates are confirmed by the report presented by the European Union Agency for Network and Information Security (ENISA), according to which, while the number of attacks cyber has increased significantly and their seriousness has increased exponentially. In the first half of 2018, around 4,500 million records were compromised due to data breaches, which represents a big increase compared to 2017, when “only” 2.7 million records were breached in the same period.
As for Italy, according to the most recent estimates available, up to June 30, 2019 the Garante has recorded 1254 confirmed cases of notifications of data breach, with an increase of about 31% compared to the violations recorded up to March.

For more info drop me a line via Twitter –  Fb or Telegram  

If you think this information is valuable, repay my effort and share it on your #SocialMedia, Be Influent! 

Also don’t miss my Telegram channel @TechnoLawgy for the latest #Privacy and #LegalTech news!

, ,

📃💻Fatturazione elettronica e privacy: le novità rilevanti alla luce dei provvedimenti del Garante

Dal primo Gennaio 2019 la fatturazione elettronica è ufficialmente obbligatoria anche tra privati, ma negli ultimi due mesi ci sono state numerose novità dovute all’intervento del Garante per la protezione dei dati personali: nuovi esoneri e una serie di adeguamenti da porre in essere a carico dell’Agenzia delle Entrate per conformarsi alle regole del nuovo Regolamento privacy europeo n. 679/2016 (GDPR). Continua a leggere

, ,

Sanzioni Privacy ridotte ai 2/5 del minimo edittale: il Garante spiega come

COSA?

Il 19 Settembre 2018 è ufficialmente entrato in vigore il decreto legislativo 101/2018  che ha coordinato le vecchie norme nazionali in materia di privacy con il GDPR, ed ha introdotto la possibilità di una definzione agevolata dei procedimenti sanzionatori pendenti.  Continua a leggere

, , ,

DPO: errata notifica al Garante? Ora disponibile il modello di revoca

Il dilemma del DPO, lo nomino o non  lo nomino?

Continua a leggere