On 11 December 2018, Regulation (EU) 2018/1725 aka "GDPR for EUIs" came into force, replacing the older Regulation (EC) 45/2001. This post focuses on the data breach notification requirements and highlights the differences between the previous Regulation and the new one. EU Instiutes, Agencies and Bodies required to proceed to notifications upon a data breach have new notification requirements, according to the table below.
Article 25 of the old Regulation listed these mandatory items for notifications to the DPO:
- (a) the name and address of the controller and an indication of the organisational parts of an institution or body entrusted with the processing of personal data for a particular purpose
- (b) the purpose or purposes of the processing
- (c) a description of the category or categories of data subjects and of the data or categories of data relating to them
- (d) the legal basis of the processing operation for which the data are intended
- (e) the recipients or categories of recipient to whom the data might be disclosed
- (f) a general indication of the time limits for blocking and erasure of the different categories of data
- (g) proposed transfers of data to third countries or international organisations
- (h) a general description allowing a preliminary assessment to be made of the appropriateness of the measures taken pursuant to Article 22 to ensure security of processing
EUIs used their own templates for these notifications, sometimes including additional items, such as specifically noting whether a processor was involved. Article 31 of the (EU) 2018/1725 lists the mandatory items for records under the Regulation. Matching these two articles shows the commonalities and differences:
|Old Art.25 (45/2001)
||New Art.31 (2018/1725)
||(a), but adding contact details of the DPO and, where applicable, the processor and/or joint controller.
||removed, but mention this when describing the purposes under (b): in most cases, processing by EUIs will be to accomplish the tasks assigned to them or to comply with obligations under Union legislation.
||(d), but more explicit that recipients in third countries / international organisations have to be mentioned as well (mention which ones).
||(e) adds information on the safeguards for transfers to third countries / international organisations (e.g. standard contractual clauses, adequacy decision, international treaty).
||(f) no specific mention of blocking anymore; mention your conservation periods here (incl. starting date).
||(g) this is only a general description of the measures taken.
For a more detailed review of the new Regulation (EU) 2018/1725, check our post Renewed Data Protection Regulation for EU Agencies.