How a company should behave if suffering a Data Breach, according to the new General Data Protection Regulation (GDPR)? How should it do it and in which time? What are the liabilities and what sanction does it incur in if it does not behave accordingly?

We had a “Word of the Day” about Data Breaches recently, and our curiosity about the topic arose quickly on what a company should do, also from a juridical perspective, in case it is victim of an IT violation and what are its liabilities according to European Regulation 2016/679 which will become effective in a few months and it’s worth preparing for it. 

Security of personal data -ie “any information relating to an identified or identifiable natural person” (art.4, par.1, n.1)- is considered by the European Regulation a primary commitment of the subject treating such data, in accordance wiht the principle of “accountability”. Indeed, art.32 specifies that the owner and the responsible of the treatment must employ adequate technical and organizational measures in order to guarantee an adequate security level to risk, still taking into account the state of the art and costs, the nature, object, contexts and aims of the treatment, as well as the risks of different probabilities and gravity for rights and liberties of natural persons.
The norm precises that, when evaluating this security level, we must consider risks derived to destruction, loss, modification, unauthorized diffusion or access -be it accidental or purposely- to personal data.

So, what is a Data Breach according to the Regulation?
Art.4, par.1, n.12, defines a data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

What should a company do in case of a Data Breach?
A new obligation of notifying the data breach subsists, which is not expected by the previous European Directive 95/46 on privacy. 

Who is the subject deputed to such communication, and who is the recipient? What are its characteristics?
Norms calls that the obligation of notification being a responsibility of the owner of the treatment, ie. “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data” (art.4, par.1, n.7).
The regulation, as for other profiles, distinguishes two hypothesis: let’s see the premises and what to do.

The first case is disciplined by art.33 which imposes the notification of the violation of personal data to the national control Authority in charge without an unnecessary delay, and, if possible, within 72 hours from the moment of acknowledgment, unless it’s unlikely that the violation has a risk in terms of rights and liberties of natural persons. If the notification is not within 72 hours, it must be supplied with reasons about the delay.

The norm also calls for the minimum content that the Supervisory Authority must be provided with:

  1. describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
  2. communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
  3. describe the likely consequences of the personal data breach;
  4. describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

The following article, art.34, considers another obligation of data breach notification to the subject involved, “when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons”. The norm also considers that the communication must happen without undue delay and must describe, with a clear and easy language, the nature of the violation and contain at least the information described at letters b), c) and d) of the aforementioned article 33.
Verily, the norm states that the owner of data could be exempt from communicating to the subject if incurring in one of the following conditions:

  • has applied all adequate technical and organizational measures to protect data and such measures has been applied to personal data object of the breach (ie encryption);
  • has adopted further measures in order to prevent an high risk for rights and liberties of the involves persons;
  • communication would require excessive efforts (in this case a single public communication can be done).


What are the fines one is to expect in case of violating the obligation of notification?
Infringements of provisions if heavily sanctioned by the Regulation: administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher (art. 83, par.4).
Additionally, art.82 states that, in general, “any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered”, unless said controller or processor can prove the damaging event is not to be ascribed to him.

In conclusion, the compliances following a data breach are not easy by no means at all or easy to apply, and fines might be very severe. Therefore it’s way better to act in a preventive way, thus improving every security measure: as always, prevention is better than the cure.


About the Author

Veronica Morlacchi

Laureata a pieni voti in giurisprudenza, è Avvocato Cassazionista, iscritta all’Albo degli Avvocati di Busto Arsizio dal 2004 e all’Albo degli Avvocati abilitati al Patrocinio davanti alla Corte di Cassazione e alle altre Giurisdizioni superiori. Si occupa principalmente, nell’interesse di Privati, Professionisti, Aziende ed Enti pubblici, di diritto civile, in particolare responsabilità civile e risarcimento danni, diritto delle nuove tecnologie e privacy, contratti, persone e famiglia. Ha conseguito un master in Responsabilità civile e un corso di perfezionamento in Tecniche di redazione dei contratti e, da ultimo, si è perfezionata in Data Protection e Data Governance all'Università degli Studi di Milano e in Strategie avanzate di applicazione del GDPR. Pubblica periodici aggiornamenti e articoli nelle materie di cui si occupa sul suo sito e da giugno 2016 collabora con Guru Advisor

banner eng

fb icon evo twitter icon evo

Word of the Day

The term Edge Computing refers, when used in the cloud-based infrastructure sphere, the set of devices and technologies that allows...


The acronym SoC (System on Chip) describes particular integrated circuit that contain a whole system inside a single physical chip:...


The acronym PtP (Point-to-Point) indicates point-to-point radio links realized with wireless technologies. Differently, PtMP links connects a single source to...


Hold Down Timer is a technique used by network routers. When a node receives notification that another router is offline...


In the field of Information Technology, the term piggybacking refers to situations where an unauthorized third party gains access to...

Read also the others...

Download of the Day


Netcat is a command line tool that can be used in both Linux and Windows environments, capable of...



Fiddler is a proxy server that can run locally to allow application debugging and control of data in...


Adapter Watch

Adapter Watch is a tool that shows a complete and detailed report about network cards. Download it here.


DNS DataView

DNS DataView is a graphical-interface software to perform DNS lookup queries from your PC using system-defined DNS, or...


SolarWinds Traceroute NG

SolarWinds Traceroute NG is a command line tool to perform advanced traceroute in Windows environment, compared to the...

All Download...

Issues Archive

  •  GURU advisor: issue 21 - May 2019

    GURU advisor: issue 21 - May 2019

  • GURU advisor: issue 20 - December 2018

    GURU advisor: issue 20 - December 2018

  • GURU advisor: issue 19 - July 2018

    GURU advisor: issue 19 - July 2018

  • GURU advisor: issue 18 - April 2018

    GURU advisor: issue 18 - April 2018

  • GURU advisor: issue 17 - January 2018

    GURU advisor: issue 17 - January 2018

  • GURU advisor: issue 16 - october 2017

    GURU advisor: issue 16 - october 2017

  • GURU advisor: issue 15 - July 2017

    GURU advisor: issue 15 - July 2017

  • GURU advisor: issue 14 - May 2017

    GURU advisor: issue 14 - May 2017

  • 1
  • 2
  • 3
  • BYOD: your devices for your firm

    The quick evolution of informatics and technologies, together with the crisis that mined financial mines, has brought to a tendency inversion: users that prefer to work with their own devices as they’re often more advanced and modern than those the companies would provide. Read More
  • A switch for datacenters: Quanta LB4M

    You don’t always have to invest thousands of euros to build an enterprise-level networking: here’s our test of the Quanta LB4M switch Read More
  • Mobile World Congress in Barcelona

    GURU advisor will be at the Mobile World Congress in Barcelona from February 22nd to 25th 2016!

    MWC is one of the biggest conventions about the worldwide mobile market, we'll be present for the whole event and we'll keep you posted with news and previews from the congress.

    Read More
  • 1