Danish Data Protection Authority Issues Updates on Handling Data Breaches
The Danish Data Protection Authority (DPA) updated its guidance Tuesday about how data controllers should react when a personal data breach occurs, including notification practices.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
"When a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the data controller must not only notify the Danish Data Protection Authority, but also notify the data subject of the breach," the updated guidance says.
"If the risk is likely to be high only for a (smaller) proportion of the affected data subjects, then the data controller must notify these data subjects, regardless of whether the notification obligation may not have arisen in relation to all data subjects affected by the breach."
The updated guidance also says that while there's no specific time frame for notification, it must occur "without undue delay." In addition, it must include the name and contact details of a data protection officer or someone who can provide more information, a description of the likely consequences of the breach, and the measures the controller has taken to address it.
The full updated report can be found on the DPA website.
The DPA previously expanded the first part of its guidance on the topic last summer.