Article 40.01
Where a personal data breach has occurred with respect to personal data being stored or processed by a data processor, the data processor shall, on becoming aware of the breach —
(a) notify the data controller or data processor that engaged it, describing t...
Article 40.02
A data controller shall, within 72 hours of becoming aware of a breach which is likely to result in a risk to the rights and freedoms of individuals, notify the Commission of the breach and, where feasible, describe the nature of the personal data breach...
Article 40.03
Where a personal data breach is likely to result in a high risk to the rights and freedoms of a data subject the data controller shall immediately communicate the personal data breach to the data subject in plain and clear language, including advice about...
Article 40.04
The notifications and communications referred to in subsections (1), (2) and (3) shall, in addition to the requirements of those subsections —
(a) communicate the name and contact details of a point of contact of the data controller, where more information c...
Article 40.05
The Commission may, at any time, make a public communication about a personal data breach notified to it under subsection (2), where it considers the steps of the data controller to inform data subjects inadequate.
Article 40.06
The Commission shall issue and publish regulations on the steps to be taken by a data controller to adequately inform data subjects of a personal data breach for purposes of subsection (3).
Article 40.07
In evaluating whether a personal data breach is likely to result in a risk to the rights and freedoms of a data subject under subsection (3), a data controller and the Commission may take into account —
(a) the likely effectiveness of any technical a...
Article 40.08
A data controller and data processor shall keep a record of all personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken in a manner that enables the Commission to verify compliance with...
Article 40.09
Where it is not possible to provide information under this section at the same time, the information may be provided in phases without undue delay.