Digital data processing is an important driver for sustainable company development and therefor, as is regularly to be read, the new (motor) oil. For this, the linkage and cross-platform accessibility to all data types plays a central role. Herein, fintech’s focus on e.g. bank data, developers of health apps or wearables on health data. If the corresponding data protection requirements are taken into account, such a business model can be economically very lucerative.
However, problems occur if the “oil pipeline” has a “leak”or – in other words – the data is accessed by unauthorized third parties. The reasons for data loss are manifold. Apart from data theft by employees, cyber-attacks pose an increasing threat. In the event of data loss, not only the company’s reputation is at stake. A loss of data may trigger reporting obligations, which, in case of non-fulfillment, can lead to high fines.
I. Fines for breach of data protection reporting obligations
According to the currently applicable German Federal Data Protection Act (BDSG), violations of notification obligations can be penalised with fines of up to € 300,000.00 per case.
The EU’s General Data Protection Regulation (GDPR) that comes into effect on 25th May 2018 stipulates fines of up to € 10 million or 2% of the annual turnover achieved in the previous year, in the case of a breach of duty. Companies should urgently establish internal procedures in order to ensure compliance with reporting obligations, if not so already done. Otherwise the “oil-boom” is quickly over. The basic conditions for the reporting obligations in accordance with BDSG and the significant changes of the GDPR concerning this are described below. To conclude the article, follow the recommendations for dealing with data protection violations as shown below.
II. What applies according to the BDSG?
According to Sec. 42a BDSG, a company must inform the responsible supervisory authority and the data subject if it finds that sensitive data stored by the company was unlawfully accessed by a third party and thus have serious adverse effects on the rights and interests of the data subject. According to Sec. 42a para. 1 BDSG, the following types of data are considered to be particularly vulnerable:
- special categories of personal data,
- personal data subject to professional secrecy,
- personal data related to criminal offences or administrative offences or the suspicion of punishable actions or administrative offences, or
- personal data converning bank or credit card accounts.
If none of the aforementioned data types are affected, the verification of the further requirements of § 42a BDSG (German Federal Data Protection Act) and therefore the notification obligation (at least) according to the BDSG is no longer necessary.
However, the affected companies still are supposed to fulfil other reporting obligations which may arise e.g. from the IT Safety Act or from the contract with the parties concerned (e.g. customer).
If, however, e.g. bank data are affected and the additional requirements of the notification obligation in accordance with Sec. 42a BDSG apply, the regulatory authority and the concerned parties must be informed “immediately”. In analogous application of Sec. 121 para. 1 sentence 1 of the German Civil Code (BGB), this means acting “without any undue delay”.
III. What will change with the GDPR?
The General Data Protection Regulation complies with the basic structure of the Sec. 42a BDSG in accordance with the provisions in articles 33, 34 GDPR. However, it expands the scope of application and individual obligations.
1. Reporting to the supervisory authority
Article 33 GDPR standarised the reporting requirements to the supervisory authority “in the case of a personal data breach of security”. ”A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data pransmitted, stored or otherwise processed” (see article 4 number 12 GDPR) are sufficient for such an event. Therefore, in addition to e.g. Cyberattacks, already data losses due to system crashes can trigger reporting obligations.
In addition, the reporting obligation under the GDPR is no longer restricted to certain data types.
Rather, the supervisory authority must always be notified, except if the data breach is not likely to “result in a risk for the rights and freedoms of individuals”.
The criteria for the above-mentioned risk assessment remain open and this is up to the responsible company to decide.
However, since the reporting obligation is linked to a breach of security, which must already be ensured by the company in accordance with article 32 GDPR taking into account the risks to the affected parties, the prolicy starts from the principle that the risk assessment, according to article 33 GDPR, will follow the previous assessment according to article 32 para.1 and para. 2 GDPR.
In the case of a reporting obligation, the regulatory authority must be notified immediately, but in any case within 72 hours after the notification of the data breach, except in exceptional cases.
2. Notification of the affected parties
The aforementioned expansion of the reporting obligation also applies to the notification of the concerned parties (article 4 n. 12. GDPR). However, according to article 34 GDPR, the concerned parties must only be notified if the data breach is likely to “result in a risk” for their rights and freedoms. Therefore, the threshold is higher for the notification obligation towards the concerned parties then the reporting obligation towards the regulatory authority. Here too, the risk assessment is incumbent upon the respective company. However, according to article 70 para. 1 letter h GDPR, the Data Protection European Parliament Committee should at least provide guidelines and recommendations. If there is a possibility for the outcome to contain high risk, the concerned parties need to be notified immediately, provided that no exceptions of article 34 para.3 GDPR take effect.
The notification obligation is not applicable e.g. if an encryption can virtually eliminate the unauthorised access to personal data.
3. Recommendations for action
Companies that have hithero ignored or insufficiently adressed this aspect of reporting obligations in the case of data breach in their IT compliance should establish an emergency management. The emergency management should initially assess the existing concept, adapts it as necessary and then regularly re-examine it in accordance to the GDPR. The policy should already start with preventive measures and then develop a list of measures for the case of data breaches.
For example, the following should be considered preventively:
- testing the data processes as well as the technical and and organisational measures on legal conformity,
- identifying and minimising particularly risky situations, taking into account the sensitivity of the data,
- ensuring internal notification of relevant events (chain of information),
- adjusting and training IT-Policies for all employees,
- testing the necessity and the extent of the insurance coverage,
- continuous evaluation of all informal or publicly known cases of damage as a “learning organization”,
- establishing a crisis unit in the case of data loss and its reporting.
In the case of data loss, the crisis unit has to work out an extensive scenario in addition to IT technical measures:
- compliance with legal and contractual information requirements (for example, towards the parties concerned, the regulatory authority or the BSI),
- examination and defense of claims for damages of affected persons,
- examination and enforcement of claims for damages against a contractor for breach of contract,
- filing a criminal complaint,
- examination and enforcement of claims for damages against the perpetrator,
- assertion of the insurance claim,
- coordination of public relations.