§ 65 Notifying the Federal Commissioner of a personal data breach

  1. In the case of a personal data breach, the controller shall notify the Federal Commissioner without delay and, if possible, not later than 72 hours after having become aware of it, of the personal data breach, unless the personal data breach is unlikely to result in a risk to the legally protected interests of natural persons. If the Federal Commis- sioner is not notified within 72 hours, the notification shall be accompanied by reasons for the delay.
  2. A processor shall notify the controller of a personal data breach without delay.
  3. The notification referred to in subsection 1 shall include at least the following information:
    1. a description of the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
    2. the name and contact details of the data protection officer or other contact point where more information can be obtained;
    3. a description of the likely consequences of the personal data breach; and
    4. a description of the measures taken or proposed by the controller to address the personal data breach, including measures to mitigate its possible adverse effects.
  4. If it is not possible to provide the information pursuant to subsection 3 with the notification, the controller shall provide this information as soon it is available.
  5. The controller shall document any personal data breaches. This documentation shall include all the facts relating to the personal data breach, its effects and the remedial action taken.
  6. If the personal data breach involves personal data that have been transmitted by or to a controller in another Member State of the European Union, the information referred to in subsection 3 shall be communicated to the controller in that Member State without delay.
  7. Section 42 (4) shall apply accordingly.
  8. Additional obligations of the controller regarding notifications of personal data breaches shall remain unaffected.

Content of the FDPA (new)

Part 1 – Common provisions (§§ 1 - 21)

Part 2 – Implementing provisions for processing for purposes in accordance with Article 2 of Regulation (EU) 2016/679 (§§ 22-44)

Chapter 1 – Legal basis for processing personal data
Sub-chapter 1 – Processing of special categories of personal data and processing for other purposes

Sub-chapter 2 – Special processing situations

Chapter 2 – Rights of the data subject

Chapter 3 – Obligations of controllers and processors

Chapter 4 – Supervisory authorities for data processing by private bodies

Chapter 5 – Penalties

Chapter 6 – Legal remedies

Part 3 – Implementing provisions for processing for purposes in accordance with Article 1 (1) of Directive (EU) 2016/680 (§§ 45-84)

Chapter 1 – Scope, definitions and general principles for processing personal data

Chapter 2 – Legal basis for processing personal data

Chapter 3 – Rights of the data subject

Chapter 4 – Obligations of controllers and processors

Chapter 6 – Cooperation among supervisory authorities

Chapter 7 – Liability and penalties

Part 4 – Special provisions for processing in the context of activities outside the scope of Regulation (EU) 2016/679 und Directive (EU) 2016/680 (§ 85)