{"id":6917,"date":"2018-08-02T14:56:41","date_gmt":"2018-08-02T18:56:41","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=6917"},"modified":"2019-05-08T11:40:25","modified_gmt":"2019-05-08T15:40:25","slug":"gdpr-report-personal-data-breach","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/gdpr-report-personal-data-breach\/","title":{"rendered":"GDPR: When to report a Personal Data Breach"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">In the first month since the GDPR became enforceable, data breach self-reporting is up 500%<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Even before the European Union&#8217;s General Data Protection Regulation (GDPR) became enforceable on May 25th, the words &#8220;personal data breach&#8221; were enough to send shivers down to the spines of CIOs and CISOs the world over. While the public seems to be growing numb to the torrent of data breach news and notifications that have been coming their way (<a href=\"https:\/\/www.riskbasedsecurity.com\/2018\/02\/over-5200-data-breaches-make-2017-an-exceptional-year-for-all-the-wrong-reasons\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">5,027 breaches compromising over 7.8 billion records in 2017<\/a>), security professionals &#8211; especially corporate ones &#8211; are more sensitive than ever to the dangers of a personal data breach.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"alignright\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"200\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/ico-logo-blue-300x200.jpg\" alt=\"Personal Data Breach\" class=\"wp-image-6962\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/ico-logo-blue-300x200.jpg 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/ico-logo-blue-768x512.jpg 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/ico-logo-blue-1024x683.jpg 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/ico-logo-blue.jpg 1200w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/figure><\/div>\n\n\n\n<p class=\"wp-block-paragraph\">And now with the GDPR enforceable, in addition to the potential loss of business and damage to reputation that could occur, there is also potential for steep fines, potentially up to \u20ac20,000,000 or 4% of total international revenue.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">That in turn has led to a major spike in self-reporting in the first month of GDPR enforcement, with <a href=\"http:\/\/www.itpro.co.uk\/data-protection\/28029\/latest-gdpr-news-uk\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">1,792 breaches self-reported to the UK Information Comissioner&#8217;s Office<\/a> (the UK&#8217;s Data Protection Authority) in June of 2018. That&#8217;s compared to just 367 breaches reported in April, the last full month before the GDPR went into effect.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">However, in a recent webinar, the ICO&#8217;s head of Data Breach Reporting, Laura Middleton, cautioned that: &#8220;<strong>not every personal data breach needs to be reported<\/strong>. So controllers should assess the likelihood and severity of risk to individuals before making that decision to report.&#8221;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">So that&#8217;s what we&#8217;re going to cover today: under the GDPR, what constitutes a personal data breach and when should you report one?<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Let&#8217;s hash it out.<span id=\"newline\"><\/span><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Under the GDPR, what is a Data Breach?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">In many ways, the term &#8220;Data Breach&#8221; is probably not a broad enough descriptor. Just like with many American laws, the legal definition and the popular definition differ. For the sake of the GDPR, Personal Data Breach covers a range of data incidents, everything from accidental disclosure to deletion to an actual breach of security where information is stolen. Here&#8217;s the official GDPR definition in Article 4(12):<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>\u2018personal data breach\u2019 means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;<\/p><\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">Let&#8217;s break that down a little bit. A breach of security in this sense doesn&#8217;t have to be an attacker fighting through your defenses. A breach of security can occur as a result of something as simple as an employee&#8217;s mistake or a database error. The more important portion of this definition is the back half, which is fairly broad. And that&#8217;s likely led to some over-reporting, where incidents that didn&#8217;t rise to the level of needing to be reported were still documented with the ICO out of a sense of caution.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">But for the sake of clarity, let&#8217;s define a GDPR personal data breach in our own laymen&#8217;s terms.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A personal data breach occurs anytime, whether by accident or an act of malice by an attacker, a customer&#8217;s data is inadvertently destroyed, lost, altered or disclosed to the wrong party.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Now, let&#8217;s talk about what your responsibilities are for reporting a data breach under the GDPR.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">You have 72 hours to report a personal data breach after it&#8217;s discovered<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">This is the biggest thing that you need to be aware of as you investigate any data incident and make a determination on reporting: you have 72 hours from the time you discover the issue. Now, with a true breach the average time it takes a company to detect it usually around 190 days. Some of the other data incidents that roll up under the GDPR&#8217;s &#8220;Personal Data Breach&#8221; definition may take considerably less time to diagnose. Regardless of how long it takes for the problem to present itself, <strong>once it&#8217;s been discovered you need to document that down to the minute<\/strong> and from there you have three days to decide what you need to do.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Here&#8217;s how the GDPR lays out your responsibility in Article 33(1):<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p><sup>1<\/sup>In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with <a href=\"https:\/\/gdpr-info.eu\/art-55-gdpr\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Article 55<\/a>, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. <sup>2<\/sup>Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.<\/p><\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">As you can see from the definition, your company or organization is faced with a decision regarding the severity of the incident. And much like with determining your &#8220;legitimate interests,&#8221; the GDPR is essentially asking you to perform an analysis that weighs the risk to the rights of the data subject.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To figure that out you&#8217;re going to need to answer some questions, and it would be a good idea to document these as part of your investigation.<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>What Happened?<\/strong> What kind of incident was this, did you leave an AWS bucket with all of your users financial data protected or did you just send the wrong customer the wrong email?<\/li><li><strong>How many people were affected?<\/strong> Is this a large-scale breach or is it limited to just a handful of people. Most literature around GDPR puts the cut off for &#8220;large-scale&#8221; at 500 data subjects.<\/li><li><strong>What personal data was compromised?<\/strong> Is this just a customer&#8217;s name and email address? Or is it more sensitive data like financial information or special categories of personal data?<\/li><li><strong>What is the risk to the affected data subjects?<\/strong> Worst case scenario, what could be done with this information to harm the data subject either financially, materially or reputationally?<\/li><li><strong>What caused this situation?<\/strong> Was it an attacker exploiting your security? Was this a technical mistake? Human error?<\/li><li><strong>How easily can this issue be remediated?<\/strong> Will this take months to fix or is this just a simple tweak? When will you be able to accomplish this?<\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">If you can answer those questions, you should be able to weigh what risks this personal data breach could pose to those affected and whether or not this incident rises to the level of reporting.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">When is Reporting a Personal Data Breach not necessary?<\/h2>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"alignleft\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"200\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-Gdpr-General-Data-Protection-242954293-300x200.jpg\" alt=\"Personal Data Breach\" class=\"wp-image-6964\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-Gdpr-General-Data-Protection-242954293-300x200.jpg 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-Gdpr-General-Data-Protection-242954293-768x512.jpg 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-Gdpr-General-Data-Protection-242954293-1024x683.jpg 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-Gdpr-General-Data-Protection-242954293.jpg 1600w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/figure><\/div>\n\n\n\n<p class=\"wp-block-paragraph\">That&#8217;s a decision that is entirely yours, one that should be made after considering all of the possible information regarding cause, size and scope. It would be irresponsible to make categorical suggestions here. But it should be pretty obvious once you investigate. Some of it also comes down to how cautious you want to be given the sizable penalties associated with messing this up.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">It all comes down to the risk posed to the data subject(s). If the breach is small, limited to a single data subject, and doesn&#8217;t include passwords or financial data, you may be fine just documenting the situation and not reporting it. Or you might want to just play it safe and report it to your Data Protection Authority, anway.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Regardless, you need to be documenting everything. And<strong> if you decide not to report an incident, make sure you document why you chose not to<\/strong>, including an exaplanation of why you don&#8217;t feel this poses a significant risk to the data subject.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What information should be included in a breach notification?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Your breach notification is going to need to include all of the following information:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>A description of the personal data breach, including the categories and number of data subjects involved, as well as the types and quantity of records compromised.<\/li><li>A name and contact information for either your registered Data Protection Officer or the individual heading up the investigation, someone who can be contacted for information.<\/li><li>A description of the possible (and most likely) consequences of the compromise.<\/li><li>A description of your investigation and any measures you have taken or will be taking to remediate the issue.<\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">If you don&#8217;t have all of the information within the first 72 hours (when you are required to report), it can be provided in phases, as it becomes available, provided this is done in haste.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Remember, transparency is important. If your supervisory authority doesn&#8217;t think you&#8217;re acting in good faith you will be penalized. So don&#8217;t try to be sneaky or hide anything. Most Data Protection Authorities, at least at this point &#8211; early on in the GDPR enforcement period &#8211; have shown a willingness to work with companies and not be overly punitive. They&#8217;re not trying to be adversarial, they&#8217;re just trying to make sure that peoples&#8217; rights are respected.<\/p>\n\n\n\n\n\n<h2 class=\"wp-block-heading\">Who is my Data Protection Authority?<\/h2>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"alignright\"><img loading=\"lazy\" decoding=\"async\" width=\"293\" height=\"300\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/FTC_logo-293x300.jpg\" alt=\"Personal Data Breach\" class=\"wp-image-6976\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/FTC_logo-293x300.jpg 293w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/FTC_logo.jpg 355w\" sizes=\"auto, (max-width: 293px) 100vw, 293px\" \/><\/figure><\/div>\n\n\n\n<p class=\"wp-block-paragraph\">Your relevant Data Protection Authority varies by country and region. This is probably something you should have already figured out, but in the event you need a refresher, here&#8217;s a list of Data Protection Authority by country:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For the United States, your Data Protection Authority is either the Department of Transportation of the Federal Trade Commission. You can check out the rest of the DPAs below:<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">United States<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Federal Trade Commission<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">600 Pennsylvania Avenue, NW<br>Washington, DC 20580<br>Telephone: (202) 326-2222<br><a href=\"https:\/\/www.ftv.gov\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https:\/\/www.ftv.gov<\/a><\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"alignright\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"300\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/Seal_of_the_United_States_Department_of_Transportation.svg-300x300.png\" alt=\"Personal Data Breach\" class=\"wp-image-6960\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/Seal_of_the_United_States_Department_of_Transportation.svg-300x300.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/Seal_of_the_United_States_Department_of_Transportation.svg-768x768.png 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/Seal_of_the_United_States_Department_of_Transportation.svg-1024x1024.png 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/Seal_of_the_United_States_Department_of_Transportation.svg.png 1200w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/figure><\/div>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Department of Transportation<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">1200 New Jersey Ave, SE<br>Washington, DC 20590<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Telephone: (202) 366-4000<br><a href=\"https:\/\/www.transportation.gov\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https:\/\/www.transportation.gov<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">EUROPEAN UNION<\/h2>\n\n\n\n<h2 class=\"wp-block-heading\">Austria<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>\u00d6sterreichische Datenschutzbeh\u00f6rde<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Hohenstaufengasse 3<br>1010 Wien<br>Tel. +43 1 531 15 202525<br>Fax +43 1 531 15 202690<br><a href=\"mailto:dsb@dsb.gv.at\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">dsb@dsb.gv.at<\/a><br><a href=\"http:\/\/www.dsb.gv.at\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">http:\/\/www.dsb.gv.at\/<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Belgium<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Commission de la protection de la vie priv\u00e9e<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Commissie voor de bescherming van de persoonlijke levenssfeer<br>Rue de la Presse 35 \/ Drukpersstraat 35<br>1000 Bruxelles \/ 1000 Brussel<br>Tel. +32 2 274 48 00<br>Fax +32 2 274 48 35<br><a href=\"mailto:commission@privacycommission.be\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">commission@privacycommission.be<\/a><br><a href=\"http:\/\/www.privacycommission.be\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">http:\/\/www.privacycommission.be\/<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Bulgaria<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Commission for Personal Data Protection<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">2, Prof. Tsvetan Lazarov blvd.<br>Sofia 1592<br>Tel. +359 2 915 3580<br>Fax +359 2 915 3525<br><a href=\"mailto:kzld@cpdp.bg\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">kzld@cpdp.bg<\/a><br><a href=\"http:\/\/www.cpdp.bg\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">http:\/\/www.cpdp.bg\/<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Croatia<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Croatian Personal Data Protection Agency<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Marti\u0107eva 14<br>10000 Zagreb<br>Tel. +385 1 4609 000<br>Fax +385 1 4609 099<br><a href=\"mailto:azop@azop.hr\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">azop@azop.hr<\/a> or <a href=\"mailto:info@azop.hr\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">info@azop.hr<\/a><br><a href=\"http:\/\/www.azop.hr\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">http:\/\/www.azop.hr\/<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Cyprus<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Commissioner for Personal Data Protection<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">1 Iasonos Street,<br>1082 Nicosia<br>P.O. Box 23378, CY-1682 Nicosia<br>Tel. +357 22 818 456<br>Fax +357 22 304 565<br><a href=\"mailto:commissioner@dataprotection.gov.cy\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">commissioner@dataprotection.gov.cy<\/a><br><a href=\"http:\/\/www.dataprotection.gov.cy\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">http:\/\/www.dataprotection.gov.cy\/<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Czech Republic<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>The Office for Personal Data Protection<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Urad pro ochranu osobnich udaju<br>Pplk. Sochora 27<br>170 00 Prague 7<br>Tel. +420 234 665 111<br>Fax +420 234 665 444<br><a href=\"mailto:posta@uoou.cz\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">posta@uoou.cz<\/a><br><a href=\"http:\/\/www.uoou.cz\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">http:\/\/www.uoou.cz\/<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Denmark<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Datatilsynet<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Borgergade 28, 5<br>1300 Copenhagen K<br>Tel. +45 33 1932 00<br>Fax +45 33 19 32 18<br><a href=\"mailto:dt@datatilsynet.dk\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">dt@datatilsynet.dk<\/a><br><a href=\"http:\/\/www.datatilsynet.dk\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">http:\/\/www.datatilsynet.dk\/<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Estonia<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">V\u00e4ike-Ameerika 19<br>10129 Tallinn<br>Tel. +372 6274 135<br>Fax +372 6274 137<br><a href=\"mailto:info@aki.ee\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">info@aki.ee<\/a><br><a href=\"http:\/\/www.aki.ee\/en\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">http:\/\/www.aki.ee\/en<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Finland<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Office of the Data Protection Ombudsman<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">P.O. Box 315<br>FIN-00181 Helsinki<br>Tel. +358 10 3666 700<br>Fax +358 10 3666 735<br><a href=\"mailto:tietosuoja@om.fi\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">tietosuoja@om.fi<\/a><br><a href=\"http:\/\/www.tietosuoja.fi\/en\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">http:\/\/www.tietosuoja.fi\/en\/<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">France<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Commission Nationale de l\u2019Informatique et des Libert\u00e9s \u2013 CNIL<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">8 rue Vivienne, CS 30223<br>F-75002 Paris, Cedex 02<br>Tel. +33 1 53 73 22 22<br>Fax +33 1 53 73 22 00<br><a href=\"http:\/\/www.cnil.fr\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">http:\/\/www.cnil.fr\/<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Germany<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Die Bundesbeauftragte f\u00fcr den Datenschutz und die Informationsfreiheit<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Husarenstra\u00dfe 30<br>53117 Bonn<br>Tel. +49 228 997799 0; +49 228 81995 0<br>Fax +49 228 997799 550; +49 228 81995 550<br><a href=\"mailto:poststelle@bfdi.bund.de\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">poststelle@bfdi.bund.de<\/a><br><a href=\"http:\/\/www.bfdi.bund.de\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">http:\/\/www.bfdi.bund.de\/<\/a><br>Germany splits complaints between different agencies:<br><a href=\"https:\/\/www.bfdi.bund.de\/bfdi_wiki\/index.php\/Aufsichtsbeh%C3%B6rden_und_Landesdatenschutzbeauftragte\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https:\/\/www.bfdi.bund.de\/bfdi_wiki\/index.php\/Aufsichtsbeh%C3%B6rden_und_Landesdatenschutzbeauftragte<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Greece<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Hellenic Data Protection Authority<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Kifisias Av. 1-3, PC 11523<br>Ampelokipi Athens<br>Tel. +30 210 6475 600<br>Fax +30 210 6475 628<br><a href=\"mailto:contact@dpa.gr\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">contact@dpa.gr<\/a><br><a href=\"http:\/\/www.dpa.gr\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">http:\/\/www.dpa.gr\/<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Hungary<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>National Authority for Data Protection and Freedom of Information<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Szil\u00e1gyi Erzs\u00e9bet fasor 22\/C<br>H-1125 Budapest<br>Tel. +36 1 3911 400<br><a href=\"mailto:peterfalvi.attila@naih.hu\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">peterfalvi.attila@naih.hu<\/a><br><a href=\"http:\/\/www.naih.hu\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">http:\/\/www.naih.hu\/<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Ireland<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Data Protection Commissioner<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Canal House<br>Station Road<br>Portarlington<br>Co. Laois<br>Lo-Call: 1890 25 22 31<br>Tel. +353 57 868 4800<br>Fax +353 57 868 4757<br><a href=\"mailto:info@dataprotection.ie\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">info@dataprotection.ie<\/a><br><a href=\"http:\/\/www.dataprotection.ie\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">http:\/\/www.dataprotection.ie\/<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Italy<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Garante per la protezione dei dati personali<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Piazza di Monte Citorio, 121<br>00186 Roma<br>Tel. +39 06 69677 1<br>Fax +39 06 69677 785<br><a href=\"mailto:garante@garanteprivacy.it\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">garante@garanteprivacy.it<\/a><br><a href=\"http:\/\/www.garanteprivacy.it\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">http:\/\/www.garanteprivacy.it\/<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Latvia<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Data State Inspectorate<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Director: Ms Daiga Avdejanova<br>Blaumana str. 11\/13-15<br>1011 Riga<br>Tel. +371 6722 3131<br>Fax +371 6722 3556<br><a href=\"mailto:info@dvi.gov.lv\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">info@dvi.gov.lv<\/a><br><a href=\"http:\/\/www.dvi.gov.lv\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">http:\/\/www.dvi.gov.lv\/<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Lithuania<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>State Data Protection<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u017dygimant\u0173 str. 11-6a<br>011042 Vilnius<br>Tel. + 370 5 279 14 45<br>Fax +370 5 261 94 94<br><a href=\"mailto:ada@ada.lt\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">ada@ada.lt<\/a><br><a href=\"http:\/\/www.ada.lt\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">http:\/\/www.ada.lt\/<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Luxembourg<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Commission Nationale pour la Protection des Donn\u00e9es<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">1, avenue du Rock\u2019n\u2019Roll<br>L-4361 Esch-sur-Alzette<br>Tel. +352 2610 60 1<br>Fax +352 2610 60 29<br><a href=\"mailto:info@cnpd.lu\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">info@cnpd.lu<\/a><br><a href=\"http:\/\/www.cnpd.lu\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">http:\/\/www.cnpd.lu\/<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Malta<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Office of the Data Protection Commissioner<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Data Protection Commissioner: Mr Joseph Ebejer<br>2, Airways House<br>High Street, Sliema SLM 1549<br>Tel. +356 2328 7100<br>Fax +356 2328 7198<br><a href=\"mailto:commissioner.dataprotection@gov.mt\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">commissioner.dataprotection@gov.mt<\/a><br><a href=\"http:\/\/www.dataprotection.gov.mt\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">http:\/\/www.dataprotection.gov.mt\/<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Netherlands<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Autoriteit Persoonsgegevens<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Prins Clauslaan 60<br>P.O. Box 93374<br>2509 AJ Den Haag\/The Hague<br>Tel. +31 70 888 8500<br>Fax +31 70 888 8501<br><a href=\"mailto:info@autoriteitpersoonsgegevens.nl\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">info@autoriteitpersoonsgegevens.nl<\/a><br><a href=\"https:\/\/autoriteitpersoonsgegevens.nl\/nl\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https:\/\/autoriteitpersoonsgegevens.nl\/nl<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Poland<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>The Bureau of the Inspector General for the Protection of Personal Data \u2013 GIODO<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">ul. Stawki 2<br>00-193 Warsaw<br>Tel. +48 22 53 10 440<br>Fax +48 22 53 10 441<br><a href=\"mailto:kancelaria@giodo.gov.pl\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">kancelaria@giodo.gov.pl<\/a>; <a href=\"mailto:desiwm@giodo.gov.pl\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">desiwm@giodo.gov.pl<\/a><br><a href=\"http:\/\/www.giodo.gov.pl\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">http:\/\/www.giodo.gov.pl\/<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Portugal<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Comiss\u00e3o Nacional de Protec\u00e7\u00e3o de Dados \u2013 CNPD<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">R. de S\u00e3o. Bento, 148-3\u00b0<br>1200-821 Lisboa<br>Tel. +351 21 392 84 00<br>Fax +351 21 397 68 32<br><a href=\"mailto:geral@cnpd.pt\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">geral@cnpd.pt<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Romania<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>The National Supervisory Authority for Personal Data Processing<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">President: Mrs Ancu\u0163a Gianina Opre<br>B-dul Magheru 28-30<br>Sector 1, BUCURE\u015eTI<br>Tel. +40 21 252 5599<br>Fax +40 21 252 5757<br><a href=\"mailto:anspdcp@dataprotection.ro\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">anspdcp@dataprotection.ro<\/a><br><a href=\"http:\/\/www.dataprotection.ro\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">http:\/\/www.dataprotection.ro\/<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Slovakia<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Office for Personal Data Protection of the Slovak Republic<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Hrani\u010dn\u00e1 12<br>820 07 Bratislava 27<br>Tel.: + 421 2 32 31 32 14<br>Fax: + 421 2 32 31 32 34<br><a href=\"mailto:statny.dozor@pdp.gov.sk\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">statny.dozor@pdp.gov.sk<\/a><br><a href=\"http:\/\/www.dataprotection.gov.sk\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">http:\/\/www.dataprotection.gov.sk\/<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Slovenia<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Information Commissioner<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Ms Mojca Prelesnik<br>Zalo\u0161ka 59<br>1000 Ljubljana<br>Tel. +386 1 230 9730<br>Fax +386 1 230 9778<br><a href=\"mailto:gp.ip@ip-rs.si\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">gp.ip@ip-rs.si<\/a><br><a href=\"https:\/\/www.ip-rs.si\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https:\/\/www.ip-rs.si\/<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Spain<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Agencia de Protecci\u00f3n de Datos<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">C\/Jorge Juan, 6<br>28001 Madrid<br>Tel. +34 91399 6200<br>Fax +34 91455 5699<br><a href=\"mailto:internacional@agpd.es\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">internacional@agpd.es<\/a><br><a href=\"https:\/\/www.agpd.es\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https:\/\/www.agpd.es\/<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Sweden<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Datainspektionen<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Drottninggatan 29<br>5th Floor<br>Box 8114<br>104 20 Stockholm<br>Tel. +46 8 657 6100<br>Fax +46 8 652 8652<br><a href=\"mailto:datainspektionen@datainspektionen.se\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">datainspektionen@datainspektionen.se<\/a><br><a href=\"http:\/\/www.datainspektionen.se\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">http:\/\/www.datainspektionen.se\/<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">United Kingdom<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>The Information Commissioner\u2019s Office<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Water Lane, Wycliffe House<br>Wilmslow \u2013 Cheshire SK9 5AF<br>Tel. +44 1625 545 745<br><a href=\"mailto:international.team@ico.org.uk\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">international.team@ico.org.uk<\/a><br><a href=\"https:\/\/ico.org.uk\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https:\/\/ico.org.uk<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">EUROPEAN FREE TRADE AREA (EFTA)<\/h2>\n\n\n\n<h2 class=\"wp-block-heading\">Iceland<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Icelandic Data Protection Agency<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Rau\u00f0ar\u00e1rst\u00edg 10<br>105 Reykjav\u00edk<br>Tel. +354 510 9600; Fax +354 510 9606<br><a href=\"mailto:postur@personuvernd.is\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">postur@personuvernd.is<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Liechtenstein<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Data Protection Office<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Kirchstrasse 8, P.O. Box 684<br>9490 Vaduz<br>Principality of Liechtenstein<br>Tel. +423 236 6090<br><a href=\"mailto:info.dss@llv.li\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">info.dss@llv.li<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Norway<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Datatilsynet<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The Data Inspectorate<br>P.O. Box 8177 Dep<br>0034 Oslo<br>Tel. +47 22 39 69 00; Fax +47 22 42 23 50<br><a href=\"mailto:postkasse@datatilsynet.no\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">postkasse@datatilsynet.no<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Switzerland<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Data Protection and Information Commissioner of Switzerland<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Eidgen\u00f6ssischer Datenschutz- und \u00d6ffentlichkeitsbeauftragter<br>Mr Adrian Lobsiger<br>Feldeggweg 1<br>3003 Bern<br>Tel. +41 58 462 43 95; Fax +41 58 462 99 96<br><a href=\"mailto:contact20@edoeb.admin.ch\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">contact20@edoeb.admin.ch<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Check out the rest of the Hashed Out GDPR Compliance Series<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/www.thesslstore.com\/blog\/preparing-gdpr-introduction-1\/\" target=\"_blank\" rel=\"noopener noreferrer\">GDPR: Introduction to a Series<\/a><\/li><li><a href=\"https:\/\/www.thesslstore.com\/blog\/gdpr-domain-industry-registries-registrars\/\" target=\"_blank\" rel=\"noopener noreferrer\">GDPR: How it affects the Domain Industry<\/a><\/li><li><a href=\"https:\/\/www.thesslstore.com\/blog\/7-tips-web-hosts-preparing-gdpr\/\" target=\"_blank\" rel=\"noopener noreferrer\">GDPR: How it affects Web Hosts<\/a><\/li><li><a href=\"https:\/\/www.thesslstore.com\/blog\/gdpr-whois-icann-match-made-hell\/\" target=\"_blank\" rel=\"noopener noreferrer\">GDPR: Problems for ICANN\/WHOIS?<\/a><\/li><li><a href=\"https:\/\/www.thesslstore.com\/blog\/gdpr-privacy-shield-compliance-us-businesses\/\" target=\"_blank\" rel=\"noopener noreferrer\">GDPR: Complying with EU-US Privacy Shield<\/a><\/li><li><a href=\"https:\/\/www.thesslstore.com\/blog\/data-protection-officer\/\" target=\"_blank\" rel=\"noopener noreferrer\">GDPR: What is a Data Protection Officer?<\/a><\/li><li><a href=\"https:\/\/www.thesslstore.com\/blog\/gdpr-privacy-notices\/\" target=\"_blank\" rel=\"noopener noreferrer\">GDPR: Best Practices for Privacy Notices<\/a><\/li><li><a href=\"https:\/\/www.thesslstore.com\/blog\/cookies-gdpr-compliance-involves-consent\/\" target=\"_blank\" rel=\"noopener noreferrer\">GDPR: What you need to know about Cookies<\/a><\/li><li><a href=\"https:\/\/www.thesslstore.com\/blog\/right-to-be-forgotten\/\" target=\"_blank\" rel=\"noopener noreferrer\">GDPR: What is the Right to be Forgotten?<\/a><\/li><li><a href=\"https:\/\/www.thesslstore.com\/blog\/gdpr-data-audit\/\" target=\"_blank\" rel=\"noopener noreferrer\">GDPR: How to perform a Data Audit<\/a><\/li><li><a href=\"https:\/\/www.thesslstore.com\/blog\/gdpr-encryption-best-practices-wp29\/\" target=\"_blank\" rel=\"noopener noreferrer\">GDPR: Encryption Best Practices<\/a><\/li><li><a href=\"https:\/\/www.thesslstore.com\/blog\/gdpr-report-personal-data-breach\/\" target=\"_blank\" rel=\"noopener noreferrer\">GDPR: When to report a Personal Data Breach<\/a><\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"<p>In the first month since the GDPR became enforceable, data breach self-reporting is up 500% Even before the European Union&#8217;s General Data Protection Regulation (GDPR) became enforceable on May 25th,&#8230;<\/p>\n","protected":false},"author":6,"featured_media":6969,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[16],"tags":[2803,5742],"class_list":["post-6917","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hashing-out-cyber-security","tag-data-breach","tag-gdpr","post-with-tags"],"views":33510,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-Data-Breach-Word-Cloud-Collage-190228822.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/6917","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=6917"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/6917\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/6969"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=6917"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=6917"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=6917"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}