Under the GDPR, a controller must notify a data subject of a personal data breach without undue delay when the breach is likely to result in a high risk to the rights and freedoms of the data subject, unless one of the following conditions applies: the personal data are rendered unintelligible to any person who is not authorized to access it, such as by encryption; the controller has taken subsequent measures to ensure that the high risk is no longer likely to materialize; or the notification would involve disproportionate effort, in which case a public communication or similar measure may suffice. In this case, an encrypted USB key with sensitive personal data is stolen, but the personal data are presumably unintelligible to the thief, so the controller does not need to notify the data subject. However, the controller still needs to notify the supervisory authority within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.
[References:, CIPM Body of Knowledge (2021), Domain IV: Privacy Program Operational Life Cycle, Section B: Protecting Personal Information, Subsection 2: Data Breach Incident Planning and Management, CIPM Study Guide (2021), Chapter 8: Protecting Personal Information, Section 8.2: Data Breach Incident Planning and Management, CIPM Textbook (2019), Chapter 8: Protecting Personal Information, Section 8.2: Data Breach Incident Planning and Management, CIPM Practice Exam (2021), Question 134, GDPR Article 33 and 3412, , , , ]
Submit