Comparison of the Notification Activities of the Data Protection Regulations for EUIs

On 11 December 2018, Regulation (EU) 2018/1725 aka "GDPR for EUIs" came into force, replacing the older Regulation (EC) 45/2001. This post focuses on the data breach notification requirements and highlights the differences between the previous Regulation and the new one. EU Instiutes, Agencies and Bodies required to proceed to notifications upon a data breach have new notification requirements, according to the table below.

Article 25 of the old Regulation listed these mandatory items for notifications to the DPO:

  • (a) the name and address of the controller and an indication of the organisational parts of an institution or body entrusted with the processing of personal data for a particular purpose
  • (b) the purpose or purposes of the processing
  • (c) a description of the category or categories of data subjects and of the data or categories of data relating to them
  • (d) the legal basis of the processing operation for which the data are intended
  • (e) the recipients or categories of recipient to whom the data might be disclosed
  • (f) a general indication of the time limits for blocking and erasure of the different categories of data
  • (g) proposed transfers of data to third countries or international organisations
  • (h) a general description allowing a preliminary assessment to be made of the appropriateness of the measures taken pursuant to Article 22 to ensure security of processing

EUIs used their own templates for these notifications, sometimes including additional items, such as specifically noting whether a processor was involved. Article 31 of the (EU) 2018/1725 lists the mandatory items for records under the Regulation. Matching these two articles shows the commonalities and differences:

Old Art.25 (45/2001) New Art.31 (2018/1725)
(a) (a), but adding contact details of the DPO and, where applicable, the processor and/or joint controller.
(b) same
(c) same
(d) removed, but mention this when describing the purposes under (b): in most cases, processing by EUIs will be to accomplish the tasks assigned to them or to comply with obligations under Union legislation.
(e) (d), but more explicit that recipients in third countries / international organisations have to be mentioned as well (mention which ones).
(g) (e) adds information on the safeguards for transfers to third countries / international organisations (e.g. standard contractual clauses, adequacy decision, international treaty).
(f) (f) no specific mention of blocking anymore; mention your conservation periods here (incl. starting date).
(h) (g) this is only a general description of the measures taken.

For a more detailed review of the new Regulation (EU) 2018/1725, check our post Renewed Data Protection Regulation for EU Agencies.

Are you an EUI or governmental authority concerned about regulatory compliance?
Discover our sectorial compliance service offerings!

Start Here!

Latest News

Ukrainian NBU BankID System preparing for EU recognition

SpearIT is pleased to announce that has undertaken the preliminary conformity assessment of Ukraine's BankID national electronic identification scheme, ...

Read More

Cypriot National eID becomes notified

SpearIT is pleased to announce that the electronic identification (eID) scheme of Cyprus has now been notified as LoA High...

Read More

Cypriot National eID becomes pre-notified

SpearIT is pleased to announce that the first Cypriot electronic identification (eID) scheme has now been pre-notified in the eIDAS Cooperation Network...

Read More