An unforeseen power outage results in company Z’s lack of access to customer data for six hours. According to article 32 of the GDPR, this is considered a breach. Based on the WP 29’s February, 2018 guidance, company Z should do which of the following?
When faced with a temporary loss of availability of personal data, such an event should be documented in accordance with Article 33(5) GDPR to demonstrate accountability. This documentation assists in showing compliance and may be reviewed by the supervisory authority. Notification to the affected individuals or the supervisory authority is only required if the incident poses a risk to the rights and freedoms of individuals. Therefore, in the absence of such risk, documentation suffices.
All data breaches should be documented if company more than 250 employees. The unailability of customer information doesn't lead to risk for the rights and freedom of data subject. Could be the case for live maintaining systems in a hospital, but this case seems to be very specific.
Notification to affected individuals or supervisory authorities is only necessary if the incident meets the GDPR's definition of a personal data breach, which requires the incident to result in a risk to the rights and freedoms of individuals. If the data was not compromised or there was no risk to individuals, notification is not required
I think it's B. Because according to the guideline, "a breach involving the temporary loss of availability should be documented in accordance with Article 33(5)... However, depending on the circumstances of the breach, it may or may not require notification to the supervisory authority and communication to affected individuals"
C should be correct. Since inability to access for the data subject to his/her data is also a breach and as with all data breaches the controller should notify the supervisory authority in 72 hours as the first thing to do.
answer should be D. Because this is a 'security breach'. Not a personal data breach event. only personal data breaches should directly be notified to authority based on article 4.12 description it would only qualify as personal data breach if involving unauthorized access. article 32.1 states this as a security breach and article 32.2 point to next step of required to "assessing the appropriate level of security account " WP29 acts as a guide to first determine the type of breach
" a breach involving the temporary loss of availability should be documented in accordance with Article 33(5) GDPR. This assists the controller in demonstrating accountability to the supervisory authority, which may ask to see those records19. However, depending on the circumstances of the breach, it may or may not require notification to the supervisory authority and communication to affected individuals. The controller will need to assess the likelihood and severity of the impact on the rights and freedoms of natural persons as a result of the lack of availability of personal data. In accordance with Article 33 GDPR, the controller will need to notify unless the breach is unlikely to result in a risk to individuals’ rights and freedoms. Of course, this will need to be assessed on a case-by-case basis."