Document toolboxDocument toolbox

9. Notification of personal data breach

  1. On discovery of personal data breach at the Data Processor’s facilities or a sub-processor’s
    facilities, the Data Processor shall without undue delay notify the Data Controller. The Data
    Processor’s notification to the Data Controller shall, if possible, take place within 48 hours after
    the Data Processor has discovered the breach to enable the Data Controller to comply with his
    obligation, if applicable, to report the breach to the supervisory authority within 72 hours.

  2. According to Clause 9.2., para b, of this Data Processing Agreement, the Data Processor shall –
    taking into account the nature of the processing and the data available – assist the Data Controller
    in the reporting of the breach to the supervisory authority. This may mean that the Data Processor
    is required to assist in obtaining the information listed below which, pursuant to Article 33, subsection
    3, of the General Data Protection Regulation, shall be stated in the Data Controller’s report
    to the supervisory authority:

    1. The nature of the personal data breach, including, if possible, the categories and the
      approximate number of affected data subjects and the categories and the approximate
      number of affected personal data records

    2. Probable consequences of a personal data breach

    3. Measures which have been taken or are proposed to manage the personal data breach,
      including, if applicable, measures to limit its possible damage

Need help? Get in touch with us via: https://www.retinalyze.com/contact