Notification of data breaches to the Czech supervisory authorities
The Czech Data Protection Authority published a Q&A for controllers about the notification of data breaches (in Czech) at:
It includes the overall description of cases that should be reported to the Czech Data Protection Authority, with examples such as:
- an attack against a computer where personal data is processed, resulting in unlawful personal data dissemination, alteration, or other misuse,
- the loss of documents containing personal data that were part of a manual filing system or were printed from a computer in which such records are kept, and the content of those documents constitutes a risk for the respective data subjects (for example health documentation).
It also includes cases that do not have to be reported. The example is a momentary impossibility to trace a paper document, and it is unlikely that any unauthorized person has access to the document, because it is more likely that it was only filed incorrectly.
Moreover, it describes the content of the report, which is exactly as required by the GDPR. Namely, it should:
- describe the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
- describe the likely consequences of the personal data breach;
- describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Finally, it also specifies that the breach should be reported to the Czech Data Protection Authority via email address email@example.com or via a Czech system of special electronic storage used for communication with public authorities, at: qkbaa2n.
Exceptions or restrictions to the obligation to communicate data breaches to data subjects
Pursuant to Article 12 of the Data Protection Act, in the case that the controller has an obligation to communicate a data breach to data subjects, such a communication may be carried out in a limited manner or may be delayed if it is necessary and adequate to secure a protected interest (see Definitions for more information). The controller has an obligation to inform the Czech Data Protection Authority, without undue delay, of any such restriction.