Notification of data breaches to the French supervisory authorities
Art. 34 stipulates that providers of public communications networks must notify data breakdowns or security incidents immediately to the CNIL by signed, registered letter or by electronic means. The notification must also include a detailed description of the incident, its impact and any countermeasures already taken.
Communication of a personal data breach to the data subject
If an incident under Art. 34 (b) also concerns the private relations or the private life of a data subject (customer, subscriber), the controller must inform the data subject, unless the CNIL states that the controller has sufficiently pseudonymized the data. The CNIL may also require at any time that the controller informs data subjects.