On 11 December 2018, Regulation (EU) 2018/1725 aka "GDPR for EUIs" came into force, replacing the older Regulation (EC) 45/2001. This post focuses on the data breach notification requirements and highlights the differences between the previous Regulation and the new one. EU Instiutes, Agencies and Bodies required to proceed to notifications upon a data breach have new notification requirements, according to the table below.
Article 25 of the old Regulation listed these mandatory items for notifications to the DPO:
EUIs used their own templates for these notifications, sometimes including additional items, such as specifically noting whether a processor was involved. Article 31 of the (EU) 2018/1725 lists the mandatory items for records under the Regulation. Matching these two articles shows the commonalities and differences:
|Old Art.25 (45/2001)||New Art.31 (2018/1725)|
|(a)||(a), but adding contact details of the DPO and, where applicable, the processor and/or joint controller.|
|(d)||removed, but mention this when describing the purposes under (b): in most cases, processing by EUIs will be to accomplish the tasks assigned to them or to comply with obligations under Union legislation.|
|(e)||(d), but more explicit that recipients in third countries / international organisations have to be mentioned as well (mention which ones).|
|(g)||(e) adds information on the safeguards for transfers to third countries / international organisations (e.g. standard contractual clauses, adequacy decision, international treaty).|
|(f)||(f) no specific mention of blocking anymore; mention your conservation periods here (incl. starting date).|
|(h)||(g) this is only a general description of the measures taken.|
For a more detailed review of the new Regulation (EU) 2018/1725, check our post Renewed Data Protection Regulation for EU Agencies.
Are you an EUI or governmental authority concerned about regulatory compliance?Discover our sectorial compliance service offerings!Start Here!