Comparison of the Notification Activities of the Data Protection Regulations for EUIs

On 11 December 2018, Regulation (EU) 2018/1725 aka "GDPR for EUIs" came into force, replacing the older Regulation (EC) 45/2001. This post focuses on the data breach notification requirements and highlights the differences between the previous Regulation and the new one. EU Instiutes, Agencies and Bodies required to proceed to notifications upon a data breach have new notification requirements, according to the table below.

Article 25 of the old Regulation listed these mandatory items for notifications to the DPO:

• (a) the name and address of the controller and an indication of the organisational parts of an institution or body entrusted with the processing of personal data for a particular purpose
• (b) the purpose or purposes of the processing
• (c) a description of the category or categories of data subjects and of the data or categories of data relating to them
• (d) the legal basis of the processing operation for which the data are intended
• (e) the recipients or categories of recipient to whom the data might be disclosed
• (f) a general indication of the time limits for blocking and erasure of the different categories of data
• (g) proposed transfers of data to third countries or international organisations
• (h) a general description allowing a preliminary assessment to be made of the appropriateness of the measures taken pursuant to Article 22 to ensure security of processing

EUIs used their own templates for these notifications, sometimes including additional items, such as specifically noting whether a processor was involved. Article 31 of the (EU) 2018/1725 lists the mandatory items for records under the Regulation. Matching these two articles shows the commonalities and differences:

For a more detailed review of the new Regulation (EU) 2018/1725, check our post Renewed Data Protection Regulation for EU Agencies.