Data Protection in Albania

Breach notification

Change countries

Change country

Data protection laws in Albania

On 19 December 2024, the Parliament of the Republic of Albania passed Law No. 124/2024, titled “On Personal Data Protection” (the “Data Protection Law”) (Official Gazette of the Republic of Albania No. 9, dated 17 January 2025). This legislation aims to align Albania’s legal framework with the European Union’s standards, particularly by incorporating Regulation (EU) 2016/679 (the General Data Protection Regulation, or GDPR) and Directive (EU) 2016/680, both of which address the protection of personal data in various contexts, including criminal law enforcement.

The adoption of this law marks the culmination of an extensive process, with the Office of the Information and Data Protection Commissioner pursuing the alignment of Albanian data protection laws with the GDPR since 2018.

The Data Protection Law establishes the rules for safeguarding individuals’ personal data and aims to protect fundamental human rights and freedoms, particularly the right to personal data protection.

Scope

The Data Protection Law applies when personal data are processed in whole or in part by automatic means, as well as to the processing of personal data which are part of a filing system or are intended to become part of a filing system where the processing is not carried out by automatic means; however, the law does not cover data processing by natural persons for purely personal or family purposes (Article 3).

Territorial Scope

The Data Protection Law shall apply:

in the framework of the activities of a controller or processor established in the Republic of Albania, regardless of whether the processing takes place in the Republic of Albania or not;
of data subjects, who are located in the Republic of Albania, by a controller who is not established in the Republic of Albania, but the processing operations relate to:

1. the offering of goods or services, whether for payment or not, to data subjects in the Republic of Albania; or
2. the monitoring the behaviour of data subjects, as long as such behaviour takes place in the Republic of Albania;

by a controller or processor, who is not established in the Republic of Albania, but in a territory where Albanian law applies on the basis of public international law (Article 4).

Related resources

Definitions

Definitions in Albania

Definition of Personal Data

Data Protection Law defines personal data as any information relating to a data subject (Article 5(3)).

A “data subject” refers to any identified or identifiable natural person. A person is identifiable if he or she can be identified, directly or indirectly, by reference to one or more specific identifiers, such as a name, an identification number, location data, an online identifier or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity (Article 5(23)).

Definition of Sensitive Personal Data

Data Protection Law defines sensitive data as special categories of personal data that reveal racial or ethnic origin, political opinions, religious beliefs or philosophical views, trade union membership, genetic data, biometric data, data concerning a person’s health, life or sexual orientation (Article 5(28)).

“Genetic data” means personal data relating to the inherited or acquired genetic characteristics of a person which provide unique information concerning his or her physiology or health and which are obtained, in particular, because of the analysis of a biological sample taken from that person (Article 5(25)).

“Biometric data” means personal data resulting from specific technical processing of the physical, physiological or behavioural characteristics of a person which enable or confirm the unique identification of that person, such as facial images or fingerprints (Article 5(24)).

“Data concerning health” means personal data relating to the physical or mental health of a person, including the provision of healthcare services, which indicates information relating to his or her state of health (Article 5(26)).

Authority

National data protection authority in Albania

The Commissioner for the Right to Information and Personal Data Protection (the “Commissioner”) is the Albanian authority in charge of overseeing and ensuring the implementation of the applicable legislation on data protection, with the primary goal of protecting the fundamental rights and freedoms of individuals in relation to the processing of personal data. The Commissioner is an independent authority, elected by a majority of the Parliament members, based on a proposal from the Council of Ministers, for a seven-year term, with the possibility of re-election.

In carrying out their duties and exercising their powers under the Data Protection Law, the Commissioner operates independently, free from any direct or indirect influence, and does not seek or accept instructions. During the Commissioner’s term, they are prohibited from engaging in any activities or professions that may conflict with their duties, whether paid or unpaid.

The Commissioner is supported by the Office of the Commissioner, which is provided with the necessary human, technical, financial, and infrastructural resources to effectively perform its functions. The staff operates under the exclusive direction of the Commissioner and reports to them regularly. To fulfil the mission and objectives of the office, the Commissioner may also consult with external advisors on specific matters. The Commissioner has the authority to approve the organizational structure of the Office of the Commissioner.

The Commissioner is seated at:

Rr. “Abdi Toptani”, Nd. 5
Postal Code 1001
Tirana
Albania

Registration

Registration in Albania

A data controller or processor must notify the Commissioner of the contact details of the Data Protection Officer.

If a data controller or processor is not established in the Republic of Albania but engages in processing activities related to data subjects in Albania, the controller or processor must appoint a representative and notify the Commissioner. This notification must include the identity of the representative appointed in the Republic of Albania. The notification must be provided in writing (Article 25).

This requirement applies when processing involves:

the offering of goods or services, whether for payment or not, to data subjects in the Republic of Albania; or
the monitoring of the behaviour of data subjects, as long as such behaviour takes place in the Republic of Albania.

This requirement shall not apply:

to processing, which is incidental, does not involve the processing of sensitive data or criminal data on a large scale and is not likely to result in a risk to the fundamental rights and freedoms of natural persons, taking into account the nature, context, object and purposes of the processing; or
to public authorities.

Data protection officers

Data protection officers in Albania

Obligation to designate a Data Protection Officer (“DPO”) (Article 33)

The controller and the processor must designate a DPO if:

The processing is carried out by a public authority or body, excluding courts, in the course of judicial activities;
The core activities of the controller or processor involve processing operations that, due to their nature, scope, or purpose, require regular and systematic monitoring of data subjects on a large scale;
The core activities of the controller or processor involve processing sensitive data or criminal data on a large scale.

A group of companies may appoint a single DPO, who should be easily accessible to each member of the group. In the case of a public authority, one DPO may be designated to cover multiple authorities, considering their organizational structure and size.

In situations not covered by the first paragraph above, the controller, processor, associations, or other bodies representing a category of controllers or processors may, or in some cases must, designate a DPO, as required by law.

Duties and position of the DPO (Article 34)

The DPO has the following duties:

Provides advice, upon request, to the management bodies of the controller or processor on all matters related to data protection;
Participates in data protection impact assessments;
Informs and advises the staff of the controller or processor on data protection, including raising awareness and training staff involved in processing operations;
Monitors compliance with the Data Protection Law, other applicable data protection provisions, and the policies of the controller or processor, including the assignment of responsibilities, awareness-raising, staff training, and relevant audits;
Cooperates with and serves as a point of contact for the Commissioner;
Gives due attention to the risks of infringing fundamental rights and freedoms that may arise from personal data processing, considering the nature, context, circumstances, and purposes of the processing.

The DPO must be appointed based on certified professional qualifications, particularly with sound knowledge of data protection law and practices, and the ability to perform the tasks outlined in the paragraph above.

The DPO may be an employee of the controller or processor, or someone under a service contract. The DPO may hold other responsibilities, but the controller or processor must ensure these duties do not conflict with the role of the DPO.

The controller and processor must ensure the DPO is involved in a timely manner in all matters related to data protection and has the necessary resources to carry out their duties. The DPO must also maintain confidentiality regarding their duties.

The controller and processor must ensure the DPO is not given instructions regarding the performance of their duties and cannot be dismissed or penalized for carrying out their responsibilities. The DPO reports directly to the highest level of management of the controller or processor.

Collection and processing

Collection and processing in Albania

The Data Protection Law provides the following definitions:

A “controller” means the natural or legal person and any public authority which, alone or jointly with others, determines the purposes and means of the processing of personal data (Article 5(8)).

A “processor” means the natural or legal person and any public authority which processes personal data on behalf of the controller (Article 5(18)).

Principles for the lawful processing of personal data (Article 6)

Personal data shall be:

processed lawfully, fairly and in a transparent manner (the “lawfulness, fairness and transparency principle”);
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (the “purpose limitation principle”);
adequate, relevant and limited to what is necessary in relation to the purpose(s) (the “data minimization principle”);
accurate and where necessary kept up to date (the “accuracy principle”);
kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (the “storage limitation principle”); and
processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (the “integrity and confidentiality principle”).

The controller is responsible for and must be able to demonstrate compliance with the above principles (the “accountability principle”).

Lawfulness of processing of personal data (Article 7)

Processing shall be lawful only if and to the extent that at least one of the following applies:

the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
processing is necessary for compliance with a legal obligation to which the controller is subject;
processing is necessary in order to protect the vital interests of the data subject or of another natural person;
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Lawfulness of processing of sensitive data (Article 9)

Processing of sensitive data is prohibited.

The processing of sensitive data is permitted if appropriate measures are implemented to protect the fundamental rights and interests of data subjects and only in cases where:

the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where the applicable legislation provides that the prohibition on processing sensitive data cannot be waived by consent from the data subject;
processing is necessary for the fulfilment of a specific obligation or right of the controller or of the data subject in the field of employment, social security and social protection, including obligations and rights arising from a collective agreement, in accordance with the applicable legislation in these areas, provided that the fundamental rights and interests of the data subject are guaranteed;
processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is incapable of giving consent due to his / her health condition or when his / her right to act has been removed or restricted;
processing is carried out in the course of the lawful activity of a not-for-profit political, philosophical, religious or trade union organization, provided that the processing relates only to members or former members of the organization or to persons who have regular contact with it in the context of its activity, and that the personal data are not disseminated outside the organization without the consent of the data subjects;
processing relates to personal data which are manifestly made public by the data subject and the processing is necessary for the pursuit of a legitimate interest;
processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
procesecessary for archiving purposes in the public interest, for historical, research, scientific or statistical purposes, subject to legal provisions.

Lawfulness of processing of data related to criminal offences and convictions (Article 10)

Processing of personal data relating to criminal convictions and offences or security measures related thereto is carried out only under the control of competent authority or when the processing is authorised by law providing for appropriate safeguards for the rights and freedoms of data subjects. The judicial status register is maintained under the control and supervision of the Ministry of Justice, in accordance with the legislation in force.

Processing of data for specific purposes:

Processing of personal data and freedom of expression (Article 43)

To balance data protection with freedom of expression and information, exceptions to the Data Protection Law can be applied for journalistic, academic, artistic, and literary purposes, provided:

The data is necessary for preparing journalistic, academic, literary or artistic materials for publication;
The data is only used for the specified purpose;
The publication serves the public interest;
Applying the Data Protection Law would hinder the purpose;
The processing does not harm the fundamental rights of data subjects.

If these exceptions are applied, personal data should only be retained for as long as needed for the publication and can be shared with those involved in its creation, other potential publishers, or for legal purposes.

Additionally, when publishing, the controller must ensure minors, crime victims, or individuals claiming harm are not identifiable without consent or court approval, except when the victim is a public figure related to their role

Exceptions do not apply to processing data about minors or certain other legal provisions.

Processing of personal data and access to information in the public sector (Article 44)

The right to personal data protection is balanced with the right of access to official documents and information, as outlined in the applicable legislation. Public access to information, is not restricted by personal data protection laws for public authorities or individuals exercising state functions, unless other fundamental rights (such as the right to life or physical integrity) require specific protection of their data.

Processing of personal data for archiving, research, and statistical purposes (Article 45)

The processing of personal data, including sensitive and criminal data, for archiving in the public interest, or for historical, research, scientific, or statistical purposes, is considered a legitimate interest of the controller, unless the data subject’s interests or fundamental rights and freedoms, which require protection of their personal data, take precedence.

Personal data collected for any purpose may be further processed for archiving purposes, historical research, or scientific and statistical purposes.

This processing must be carried out with appropriate safeguards to protect the rights and freedoms of the data subject. These safeguards include, but are not limited to:

Technical and organizational measures taken by the controller in compliance with Data Protection Law, especially principles of data minimization or pseudonymization, to achieve the processing purpose. If the purpose can be achieved by processing anonymized or pseudonymized data, that method should be used;
Pseudonymization of data, and where possible, anonymization before transferring data for further processing;
Specific safeguards to ensure that data is not used for decisions or actions concerning the data subject, unless the data subject has expressly given consent.

Exemptions from certain data subject rights may apply if exercising those rights would significantly hinder or prevent the achievement of the processing purpose. The controller bears the burden of proving that the exercise of these rights would cause such an obstacle to the purpose.

Processing of personal data and direct marketing (Article 46)

See Electronic marketing.

Related resources

Transfer

Transfer in Albania

General principles (Article 39)

Personal data that is being processed or will be processed after transfer may only be transferred to a foreign country or international organization or further transferred from one foreign country or international organization to another, if adequate protection for the data is guaranteed at the destination, or if specific safeguards are in place specifically for such transfer.

Transfers required by foreign court or administrative authority decisions will only be recognized or enforced if they are based on an international agreement, such as a mutual legal assistance treaty, in effect between the requesting third country and Albania, and without violating the other transfer criteria outlined in the Data Protection Law.

Transfer of data based on an adequacy decision (Article 40)

Personal data may be transferred to foreign countries or international organizations if the recipient is located in a country, territory, or sector within a foreign country, or belongs to an international organization that ensures an adequate level of data protection. The adequacy of the data protection level for a country, territory, sector, or international organization is determined by a decision of the Commissioner.

Pursuant to the Decision of the Commissioner No. 8, dated 31 October 2016 the following states have an adequate level of data protection:

European Union member states;
European Economic Area states;
Parties to the Convention No. 108 of the Council of Europe “For the Protection of Individuals with regard to Automatic Processing of Personal Data”, as well as its 1981 Protocol, which have approved a special law and set up a supervisory authority that operates in complete independence, providing appropriate legal mechanisms, including handling complaints, investigating and ensuring the transparency of personal data processing;
States where personal data may be transferred, pursuant to a decision of the European Commission.

Transfer of data in the absence of an adequacy decision (Article 41)

In the absence of an adequacy decision, a controller or processor may transfer personal data to a third country or international organization only if appropriate safeguards are in place, and if enforceable data subject rights and effective legal remedies are available for the data subjects.

If appropriate safeguards are not in place, the transfer may only occur if one of the following conditions is met:

the data subject has explicitly consented to the proposed international transfer, after having been clearly informed of the possible risks of such transfer;
the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request, or the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party;
the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically incapable of giving consent, or their right to act has been removed or restricted;
the transfer is necessary for important reasons of public interest;
the processing is necessary for the establishment, exercise or defence of a right, obligation or legitimate interest before a court or public authority;
the transfer is made from a register that is open for consultation by law and provides information to the general public, provided that the transfer includes only certain information and not entire sections of the register.

Where a transfer could not be based on any of the above, a transfer may take place only if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. The controller shall inform the Commissioner and the data subject of the transfer and on the compelling legitimate interests pursued.

Related resources

Security

Security in Albania

General responsibility of the controller (Article 22)

The Data Protection Law requires controllers to implement appropriate technical and organizational measures, based on the nature, scope, context, and purposes of the processing, as well as the potential risks to individuals’ rights and freedoms. These measures must be regularly reviewed and updated as necessary.

Data protection by design and by default (Article 23)

Controllers should consider technological developments, implementation costs, and the specific circumstances of the processing when determining safeguards, such as pseudonymization, to protect data subjects’ rights.

Controllers must ensure that, in a predetermined manner, only the personal data necessary for each specific purpose is processed, including limiting the data collected, its accessibility, and storage period. Security measures must prevent unauthorized access to personal data and maintain the confidentiality, integrity, availability, and resilience of processing systems and services.

Measures to ensure the security of processing (Article 28)

The controller and the processor implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, inter alia, where applicable:

Pseudonymization and encryption of personal data;
The ability to ensure the confidentiality, integrity, availability, and resilience of the processing systems and services;
The ability to restore the availability and access to personal data within a reasonable time in the event of a physical or technical incident;
A process for regularly testing, reviewing, and assessing the effectiveness of the technical and organizational measures to ensure the security of the processing.

The level of security shall be in compliance with the nature of personal data processing. The Commissioner has established additional rules for personal data security by means of Decision No. 6, dated 05 August 2013 “On the Determination of Detailed Rules for the Security of Personal Data”.

Related resources

Breach notification

Breach notification in Albania

Controller’s notification to the Commissioner (Article 29)

In the event of a personal data breach, the controller must notify the Commissioner as soon as possible, and no later than 72 hours after becoming aware of the breach. Notification is not required if the breach is unlikely to result in a risk to the rights and freedoms of data subjects. If the notification is not made within the 72-hour timeframe, the controller must provide an explanation for the delay.

The notification to the Commissioner must include, at a minimum:

A description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects affected, as well as the categories and approximate number of personal data records involved;
The name and contact details of the DPO or another relevant contact point;
A description of the likely consequences of the personal data breach;
A description of the measures taken or proposed to address the breach, including, where applicable, measures to mitigate its potential adverse effects.

If all of the required information is not available at once, it may be provided in stages, as soon as possible.

The controller must document all personal data breaches, including the details, impact, and corrective actions taken, to enable the Commissioner to verify compliance. The Commissioner shall respond to the notification in line with their authority. The Commissioner may also instruct the controller to notify the affected data subjects of the personal data breach if the breach is likely to pose a high risk to their rights and freedoms, and if the controller has not already done so, as outlined in the section below.

Controller’s notification to the data subjects (Article 29)

The controller must inform data subjects if the risks to their rights and freedoms resulting from the data breach are likely to be high, by providing the information as outlined in the notification to the Commissioner above. However, notification to data subjects is not required in the following cases:

The controller has implemented appropriate technical and organizational protective measures, such as encryption, which were applied to the personal data affected by the breach;
The controller has taken additional steps to reduce the risk of harm to the rights and freedoms of data subjects;
The controller publishes the notice or takes other similar actions to notify data subjects of the breach in a uniform and effective manner, where notifying each individual data subject would impose a disproportionate burden on the controller.

Processor’s notification to the controller (Article 29)

The processor shall notify the controller immediately after becoming aware of any personal data breach.

Related resources

Enforcement

Enforcement in Albania

The Commissioner is the competent authority for the supervision and enforcement of Data Protection Law. The Commissioner is responsible, inter alia, for:

Ensuring that data subjects can exercise their rights, including providing them with information and advice on these rights;
Investigating the compliance of personal data processing activities with the Data Protection Law, either proactively or in response to a complaint;
Reviewing complaints filed by individuals or non-profit entities, organizations, or associations representing individuals, in cases of alleged violations of the Data Protection Law;
Evaluating the responses provided by competent authorities to data subjects’ requests regarding their rights of access, rectification, or erasure;
Imposing administrative sanctions and penalties, and overseeing their enforcement.

Administrative offenses related to the processing of personal data may result in a fine of up to ALL 2,000,000,000 (approximately EUR 20,300,000), or, in the case of a company, up to 4% of its total annual global turnover from the previous financial year, whichever amount is greater.

The Commissioner shall issue a directive outlining the rules regarding the imposition of administrative sanctions, which will be based on the guidelines established by the European Data Protection Board.

The sanctioned subject may appeal the fine in court within the deadlines and according to the procedures that regulate the administrative trials.

Electronic marketing

Electronic marketing in Albania

Electronic and direct marketing under the Data Protection Law

The Data Protection Law does not explicitly refer to electronic marketing; nevertheless, it will apply to most electronic marketing activities since they typically involve personal data, like an email address that includes the recipient’s name.

Personal data may be processed for direct marketing purposes as a means of communicating with identifiable individuals to promote goods or services. This includes advertising membership in organizations, soliciting donations, and any direct marketing activities, which also cover any preparatory actions taken by the advertiser or a third party to facilitate such communication (Article 46(1)).

The most common legal grounds for the processing of data for direct marketing are:

The legitimate interests of the controller

Processing for direct marketing purposes, whether carried out by the controller or by third parties, may be based on legitimate interests, provided that the interests of the protection of data subjects are not overridden. This also applies to the use of data obtained from publicly accessible sources for direct marketing purposes.

The consent of the data subject

When relying on consent, it is essential to adhere to the requirements set by Data Protection Law. Notably, when personal data is processed for direct marketing purposes, the data subject has the right to object at any time, without needing to provide a reason, to the processing of their personal data for such purposes, including profiling insofar as it relates to them (Article 19(2) and Article 46(4)).

Furthermore, the controller must be able to demonstrate that the data subject has given consent for the processing of their personal data. If consent is provided in the context of a written statement that includes other matters, the request for consent must be clearly distinguishable from the other information. It should be presented in an intelligible and easily accessible format, using clear and plain language (Article 8(2)). In the context of direct marketing, marketing consent forms should include clear opt-in mechanisms, such as checking an unchecked consent box or signing a statement, rather than just accepting terms and conditions or assuming consent based on actions like visiting a website.

The processing of a minor’s personal data based on consent, in the context of online goods or services directly offered to them, is lawful only if the minor is at least 16 years old. If the minor is under 16, the processing is lawful only if consent is given or authorised by the minor’s parent or legal guardian, and only to the extent that it is given or authorised by them (Article 8(6)).

The processing of sensitive data for direct marketing purposes is carried out with the explicit consent of the data subject (Article 46(3)).

The Commissioner has issued an Instruction no. 06, dated 28 May 2010 “On the correct use of SMSs for promotional purposes, advertising, information, direct sales, via mobile phone”. This instruction emphasizes the importance of the prior consent given by the data subject.

Electronic and direct marketing under the Electronic Communications Law

According to Law 54/2024 “On electronic communications in the Republic of Albania” (“Electronic Communications Law”), natural or legal persons who possess the email addresses of their customers for their products or services may use these addresses for direct marketing of similar products or services only if they have obtained the explicit consent of the customers to be contacted for marketing purposes. Additionally, they are required to provide customers with a simple and free way to opt out of the use of their email address for marketing purposes at any time. It is also prohibited to send SMS or email messages for direct marketing purposes if the sender’s identity is concealed or if a valid address is not provided, through which the recipient can request the cessation of such communications (Article 165 “Unsolicited communications”).

Online privacy

Online privacy in Albania

Online privacy under the Data Protection Law

The Data Protection Law does not include specific regulations for cookies or location data. However, location data and online identifiers (which include cookies) are considered identifying factors for data subjects. As such, the general data protection provisions outlined in the Data Protection Law also apply to online privacy.

Apart from the general data protection principles applied mutatis mutandis, the Data Protection Law contains few specific provisions regarding online privacy. These include:

Right to rectification and erasure (Article 15(2)(dh))

The data subject has the right to request the erasure of personal data relating to them from the controller. The controller is required to erase the personal data as soon as possible, and in any case, no later than 30 days from the receipt of the request, if the data was collected in the context of online provision of goods or services.

The right to be forgotten (Article 16)

When the controller has made personal data public and is required to erase it, they must take reasonable steps, including technical measures, to notify other controllers processing those data that the data subject has requested the removal of any link, copy, or reproduction of the personal data, considering the applicable technology and implementation costs. Additionally, at the data subject’s request, operators of internet search engines must remove outdated information from search results based on the data subject’s name if that information, although no longer current, significantly harms the data subject’s reputation.

In order to provide some clarifications on the notion of cookies and their use, the Commissioner has defined the cookies in an online dictionary as some data stored on the computer, which contain specific information. This rudimentary definition is further complemented by a short explanation which states that cookies allow any server to know what pages have been visited recently, just by reading them.

The Commissioner has also released an opinion (which is somewhat outdated and non-binding for data controllers) regarding the protection of personal data on the websites of both public and private entities. In this opinion, the Commissioner highlights the obligations of data controllers under the Data Protection Law, as well as the rights of data subjects, which must also be observed in the context of online personal data collection:

The right to be fully informed and to give their approval if a website (or an application) processes their data;
The right to keep their online communications secret (including email, the computer’s IP or modem No.);
The right to be notified if their personal data are compromised (data has been lost or stolen, or if their online privacy is likely to be negatively affected);
The right to request that their personal data to be excluded from data processing for direct marketing if they have not given their consent.

Additionally, in this opinion, the Commissioner stresses the importance of public and private controllers drafting and publishing privacy policies on their websites, including, among other things:

The identity of the controller;
The information collected from the users, specifying the category of personal data;
Specific policies regarding cookies and other technologies that allow data controllers to gather information on the users that use the website and to notify the latter about their use.

Online privacy under the Electronic Communications Law

The Electronic Communications Law defines “location data” as any data processed in an electronic communications network, indicating the geographical position of the terminal equipment of a user of the electronic communications network.

Location data may only be processed when they are made anonymous or with the consent of the users or subscribers to the extent and for the duration necessary for the provision of a value added service.

The service provider must inform the users or subscribers, prior to obtaining their consent, of the type of location data which will be processed, of the purposes and duration of the processing and whether the data will be transmitted to a third party for the purpose of providing the value added service.

Users or subscribers shall be given the possibility to withdraw their consent for the processing of location data other than traffic data at any time. Users or subscribers must continue to have the possibility, using a simple means and free of charge, of temporarily refusing the processing of such data for each connection to the network or for each transmission of a communication.

Processing of location data must be restricted to persons acting under the authority of the provider of the public communications network or publicly available communications service or of the third party providing the value added service, and must be restricted to what is necessary for the purposes of providing the value added service (Article 163 of the Electronic Communications Law).

Related resources

Key contacts

Data protection lawyers in Albania

Flonia Tashko

Partner

Tashko Pustina

Tirana

Email Full bio

Alban Shanaj

Partner

Tashko Pustina

Tirana

Controller’s notification to the Commissioner (Article 29)

The notification to the Commissioner must include, at a minimum:

A description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects affected, as well as the categories and approximate number of personal data records involved;
The name and contact details of the DPO or another relevant contact point;
A description of the likely consequences of the personal data breach;
A description of the measures taken or proposed to address the breach, including, where applicable, measures to mitigate its potential adverse effects.

If all of the required information is not available at once, it may be provided in stages, as soon as possible.

Controller’s notification to the data subjects (Article 29)

The controller has implemented appropriate technical and organizational protective measures, such as encryption, which were applied to the personal data affected by the breach;
The controller has taken additional steps to reduce the risk of harm to the rights and freedoms of data subjects;
The controller publishes the notice or takes other similar actions to notify data subjects of the breach in a uniform and effective manner, where notifying each individual data subject would impose a disproportionate burden on the controller.

Processor’s notification to the controller (Article 29)

The processor shall notify the controller immediately after becoming aware of any personal data breach.

Last modified 28 January 2025

Administrative measures

In case of violations of the provisions of Law No. 18-07 by the controller, administrative measures are taken by the national authority:

warning;
formal notice;
provisional withdrawal for a period not exceeding one year, or definitive withdrawal of the declaration receipt or authorisation;
a fine.

The national authority may also impose fines on the controller which:

refuses, without legitimate reason, the rights of information, access, rectification or opposition;
fails to make the required notifications to the national authority.

Criminal sanctions

Violation of the provisions of Law No. 18-07 is punishable by imprisonment and / or a fine.

Article 47 to 74 of the law No. 18-07 provide that non-compliance with the Data Protection Law is punishable by a fine ranging from 20,000 DZD to 1,000,000 DZD and / or imprisonment between two months and five years.

Mandatory breach notification

Where the processing of personal data over electronic communication networks results in the destruction, loss, alteration, disclosure or unauthorised access of such data, the service provider must notify the national authority and the data subject without delay where such a breach may affect the privacy of the data subject.

Failure by a service provider to notify the national authority or the data subject of a personal data breach is punishable by imprisonment and a fine.

Last modified 20 January 2025

There is no mandatory breach notification requirement under the Data Protection Law.

However, pursuant to the Electronic Communications and Information Society Services Law, companies offering electronic communications services accessible to the public shall, without undue delay, notify the APD and the Electronic Communications Authority, Instituto Angolano das Comunicações, (INACOM) of any breach of security committed with intent or that recklessly leads to destruction, loss, partial or total modification or non-authorized access to personal data transmitted, stored, retained or in any way processed under the offer of electronic communications services.

Companies offering electronic communications services accessible to the public shall also keep an accurate register of data breaches, indicating the concrete facts and consequences of each breach and the measures put in place to repair or prevent the breach.

The same applies under Protection of Information Systems and Networks Law.

Last modified 30 December 2021

Not specifically required under data protection law.

Failure to notify a data security breach is not in itself a violation of the data protection regime, but may bear on the effects of security violation, especially if lack of such notification results in other security breaches or damages. The person responsible for the data must keep records on security breaches, and these records may be requested by the data protection authority.

Breach notification may be mandatory if the data protection authority specifically requests information about data breaches.

Last modified 28 January 2025

In case unlawful operations performed upon personal data are revealed, the processor shall be obliged to immediately, but not later than within three working days eliminate the committed violations. In case it is impossible to eliminate the violations, the processor shall be obliged to immediately destruct personal data. The processor shall be obliged to inform the data subject or his or her representative on the elimination of violations or the destruction of personal data within three working days, and where the request is received from the authorized body for the protection of personal data — also this body.

The processor shall be obliged to inform the data subject or his or her representative on the elimination of violations or the destruction of personal data within three working days, and where the request is received from the authorized body for the protection of personal data — also this body.

Mandatory breach notification

In case of an outflow of personal data from electronic systems the processor shall be obliged to immediately publish an announcement thereon, meanwhile reporting on the outflow the Police of the Republic of Armenia and authorized body for the protection of personal data.

Last modified 20 January 2025

National Ordinance Person Registration

Contains no specific clauses.

GDPR

In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with article 55 GDPR, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

Last modified 10 February 2025

Eligible data breaches

Entities with obligations to comply with the Privacy Act must comply with the mandatory data breach notification regime under the Privacy Act.

The mandatory data breach notification includes data breaches that relate to:

Personal information;
Credit reporting information;
Credit eligibility information; and
Tax file numbers.

In summary, the regime requires organizations to notify the OAIC and affected individuals of "eligible data breaches" (in accordance with the required contents of a notice). Where it is not practicable to notify the affected individuals individually, an organization that has suffered an eligible data breach must make a public statement on its website containing certain information as required under the Privacy Act, and take reasonable steps to publicise the contents of the statement.

An "eligible data breach" occurs when all of the following conditions are satisfied in relation to personal information, credit reporting information, credit eligibility information or tax file information:

There is unauthorized access to, or unauthorized disclosure of, or loss of the information in circumstances where unauthorised access to, or unauthorised disclosure of, the information is likely to occur;
A reasonable person would conclude that the access or disclosure, or loss would be likely to result in serious harm to any of the individuals to which the information relates; and
Prevention of the risk of serious harm through remedial action has not been successful.

While "serious" harm is not defined in the legislation, the OAIC has released guidance on how serious harm may be interpreted and assessed by organizations. There are a number of key criteria to examine when determining if "serious" harm is likely to result from a breach which should be assessed holistically and take into account: the kinds of information, sensitivity, security measures protecting the information, the nature of the harm (i.e. physical, psychological, emotional, financial or reputational harm) and the kind(s) of person(s) who may obtain the information.

The regime also imposes obligations on organizations to assess within 30 calendar days whether an eligible data breach has occurred where the organization suspects (on reasonable grounds) that an eligible data breach has occurred, but that suspicion does not amount to reasonable grounds to believe that an eligible data breach has occurred.

There are various exceptions to the requirement to notify affected individuals and / or the OAIC of a data breach notification including in instances where law enforcement related activities are being carried out or where there is a written declaration by the Information Commissioner.

The introduction of the regime has resulted in many organizations requiring detailed contractual obligations with third party suppliers in relation to cybersecurity and the protection of personal information of their customers / clients. Complimenting this regime, the OAIC has also released several guidance notes relating to the regime which include topics such as the security of personal information and whilst these are not legally binding, they are considered industry best practice.

In the event of an eligible data breach, the Australian Attorney-General may make an eligible data breach declaration to allow the sharing of personal information following a notifiable data breach for the purpose of preventing or reducing the risk of harm to individuals. This would allow, for example, details of individuals impacted by an eligible data breach to be shared with banks so that the necessary protective measures could be applied to their accounts.

Other notification obligations

Further, organizations may have additional obligations to notify other regulators of data breaches in certain circumstances including under the Prudential Standard CPS 234 Information Security ("CPS 234") which aims to strengthen APRA-regulated entities' resilience against information security incidents (including cyberattacks), and their ability to respond swiftly and effectively in the event of a breach. CPS 234 applies to all APRA-regulated entities who among other things, are required to notify APRA within 72 hours "after becoming aware" of an information security incident and no later than 10 business days after "it becomes aware of a material information security control weakness which the entity expects it will not be able to remediate in a timely manner".

The Cyber Security Act introduces a mandatory reporting requirement where a ransomware payment (or other benefit) is paid to an extorting entity. The aim is to give the Australian Government greater visibility over the extent of the threat which ransomware poses to organizations.
Organisations which exceed the turnover threshold must report to the designated Commonwealth body within 72 hours if:

a cyber security incident has occurred, is occurring or is imminent and has had, is having or could reasonably be expected to have, a direct or indirect impact on a reporting business entity; and
the reporting business entity or a related entity has provided a payment to the extorting entity that is directly related to a demand made by the extorting entity.

Last modified 20 January 2025

The GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority, and for more serious breaches to also be notified to affected data subjects. A "personal data breach" is a wide concept, defined as any "breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed" (Article 4).

The controller must notify a breach to the supervisory authority without undue delay, and where feasible, not later than 72 hours after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and freedoms of natural persons. When the personal data breach is likely to result in a high risk to natural persons, the controller is also required to notify the affected data subjects without undue delay (Article 34).

Where the breach occurs at the level of the processor, they are required to notify the controller without undue delay upon becoming aware of the breach (Article 33(2)).

The notification to the supervisory authority must include where possible the categories and approximate numbers of individuals and records concerned, the name of the organization’s data protection officer or other contact, the likely consequences of the breach and the measures taken to mitigate harm (Article 33(3)).

Controllers are also required to keep a record of all data breaches (Article 33(5)) (whether or not notified to the supervisory authority) and permit audits of the record by the supervisory authority.

Last modified 20 January 2025

There is no specific requirement as to notification of the DPA by the owner or operator of personal data about breach.

Last modified 15 February 2022

There is no breach notification obligation under the provisions of DPA.

Last modified 28 January 2025

The data controller shall establish specific procedures to inform the Personal Data Protection Authority of the occurrence of any violation or breach of data within a period not exceeding (72) hours from the date of its discovery, unless if the such personal data breach would not affect the rights of data subjects.

Last modified 20 January 2025

There is no requirement to report data breaches to any individual or regulatory body.

Last modified 3 January 2024

In certain circumstances, a data controller is required to report to the Commissioner data breaches which have affected a data subject.

Mandatory breach notification

Where there is a personal data breach the data controller must without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the Commissioner, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of an individual.

Where a personal data breach is likely to result in a high risk to the rights and freedoms of individuals, the data controller must communicate the personal data breach to the data subject without undue delay and, where feasible, not later than 72 hours after having become aware of it.

Last modified 28 January 2024

Data Protection Law establishes an obligation to notify NPDPC on breach of systems used for personal data protection immediately, but not later than within three business days of discovery, in writing or in the form of an electronic document. Exceptions to this requirement are cases where a breach of security systems has not resulted in the unlawful dissemination, provision of personal data; modification, blocking or deletion of personal data without the possibility of restoring access to it.

Certain additional requirements on the notification of the OAC are set for specific cases of information protection system breaches or periodical reporting as required by Belarus law. The respective requirements are set forth in the Regulations on the procedure for submitting information about information security events, the state of technical and cryptographic protection of information to the OAC, as approved by the Order of the OAC of 2 February 2020 No. 66.

Last modified 20 January 2025

EU regulation

Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming aware of the breach (Article 33(2)).

The notification to the supervisory authority must include where possible the categories and approximate numbers of individuals and records concerned, the name of the organisation’s data protection officer or other contact, the likely consequences of the breach and the measures taken to mitigate harm (Article 33(3)).

Belgium regulation

No general additional requirements are inserted in the Data Protection Act relating to data breaches.

Data breach obligations are also detailed for each special regime, but they resemble those contained in the GDPR.

Last modified 31 December 2024

A data controller must notify the Commissioner of the APDP of any breach to the security safeguards of personal data, without delay (Article 427 of The Law on the Digital Code).

The notification must, at a minimum:

describe the nature of the security breach that affected personal data including, if possible, the categories and approximate number of individuals affected by the breach and the categories and approximate number of personal data records affected;
provide the name and contact information of the Data Protection Officer or other point of contact from whom additional information can be obtained;
describe the likely consequences of the security breach; and
describe the steps taken or proposed to be taken by the controller to remedy the security breach, including, if applicable, steps to mitigate any adverse consequences.

Last modified 20 January 2025

PIPA requires notification of a breach of security leading to the loss or unlawful destruction or unauthorised disclosure of, or access to, personal information which is likely to adversely affect an individual to (a) the individual concerned; and (b) the Privacy Commissioner.

The notice to the Commissioner must describe the nature of the breach, its likely consequences for the individual concerned, and the measures the organisation is taking to address the breach.

Last modified 28 January 2024

There is no data breach notice requirement.

Last modified 24 January 2022

Personal Data Protection Act BES

Contains no specific clauses.

GDPR

In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with article 55 GDPR, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

Last modified 10 February 2025

The DP Law does not impose data security breach notification duty on the controller. However, the Rules do impose a duty on the Database's administrator, processor and performer to inform the controller on any attempt of unauthorized access to information system for the Database's management.

However, the regulations issued by the Communication Regulatory Agency (RAK) should be considered. The Regulation on Carrying out the Activities of the Publicly Available Electronic Communication Networks ('Official Gazette of BiH' no. 66/12) (Regulation A) stipulates that the operator of publicly available electronic communication networks (Operator) is required to inform RAK about its activities, operations and other applicable information required for RAK’s regulatory competences. Since RAK’s Regulation on Conditions for Providing the Telecommunications Services and Relation with End Users ('Official Gazette of BiH' no. 28/13) (Regulation B) prescribes for the Operator’s obligation to undertake such methods which will protect the privacy of users and others, in a manner that will ensure the integrity and confidentiality of data, it can be concluded that the Operator is required to notify RAK of any breach of security and integrity of public telecommunication services that resulted in violation of protection of personal data or privacy of the respective services' s users.

When it comes to the notification duty towards the users, the Regulation B obliges the Operator to inform the users adequately (e.g. in user agreement, in its terms and conditions or in the appropriate technical way) about the possibility of privacy or telecommunication facilities violations.

Pursuant to the Draft Data Protection Law in case of a personal data breach the controller is obliged to undue delay and where feasible not later than 72 hours after having become aware of it, which fully correspond to the obligation prescribed by GDPR.

Last modified 20 January 2025

Data controllers and data processors shall without delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the Commission, unless the personal data breach in unlikely to result in a risk to the rights and freedoms of the data subject. Where notification is not made within it shall be accompanied by reasons for the delay the data processor shall notify the data controller without undue delay after becoming aware of the personal data breach. The notification for breach shall describe the nature of the personal data breach including where possible the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned.

Last modified 20 January 2025

According to the LGPD, any unauthorized accesses and from accidental or unlawful situations of destruction, loss, alteration, communication or diffusion is considered a breach.

The controller is responsible for reporting to ANPD and the data subject within three (3) working days after becoming aware of the breach if it is likely to result in risk or harm to data subjects.

On April 24, 2024, the ANPD published Regulation CD/ANPD 15/2024, which provides for the rules for communication of data breaches. According to such regulation, a breach is considered to pose relevant risks or damages to data subjects if it significantly affects their interests and fundamental rights and involves at least one of the following criteria:

Sensitive personal data
Data relating to children, adolescents, or the elderly
Financial data
Data used for system authentication (e.g., login credentials, tokens, or passwords)
Data protected by legal, judicial, or professional confidentiality obligations, or
Large-scale data.

If a notification is required, it must be submitted by the controller’s DPO or the legal representative with the corresponding nomination documentation or power of attorney, through a breach reporting form provided by the ANPD.

The notice to the ANPD must contain, at least, the following key information:

Description of the nature of the affected personal data
Information regarding the data subjects involved, including the amount of data subjects, detailing, when applicable, the amount of children, adolescents or elderly involved
Indication of the security measures used to protect the personal data before and after the incident
The risks generated by the incident with identification of possible impacts for data subjects
The reasons for a delay in communication (if any)
The measures that were or will be adopted to reverse or mitigate the effects of the incident
The date in which the incident occurred, if possible to identify, and the date in which the controller became aware of the data incident
Information on the data protection officer or of the controller’s legal representative
The controller’s identification
The processor’s identification, if applicable
A description of the incident, including the main cause, if possible to identify
The total amount of data subjects involved in the data processing activities affected by the incident
Information regarding the communication to the affected data subjects

As to the notification to affected data subjects, the following information is required:

A description of the nature and categories of personal data affected
The technical and security measures taken to protect the personal data
Risks related to the data incident and identification of the possible impacts on data subjects
The reasons for the delay (if any)
The measures that have been or will be taken to reverse or mitigate the effects of the data incident, when applicable
The date in which the controller became aware of the data incident
Contact for obtaining information and, if applicable, contact data of the of the controller’s data protection officer

It is important to highlight that notification to the affected data subjects must be made (i) in simple and easy-to-understand language, and (ii) individually, directly to the data subjects, also within three (3) working days counted from the date when the controller became aware of the security incident. The notification may be carried out by any means such as e-mail, SMS, letter, or electronic message and, preferably, through the channel normally used by the controller to communicate with the data subject. If the controller is unable to identify each individual data subject affected by the incident, it shall notify the occurrence of the data incident through the available means of dissemination, such as its website, applications, social media and customer service channels, so that the communication allows broad knowledge, with direct and easy visualization, for a period of at least three (3) months.

Controller is required to submit to the ANPD a declaration stating that data subjects were duly informed of the breach, containing the communication or broadcast means used, within three (3) working days after filing the notification before the ANPD. If direct and individualized communication to data subjects is not feasible, controller shall notify the data subjects through broadcast means available, such as its website, apps, social media and customer service, to ensure that the notification allows broad knowledge with direct and easy visualization for at least three (3) months.

Additionally, the ANPD must verify the seriousness of the incident and may, if necessary to safeguard the data subject's rights, order the controller to adopt measures, such as the broad disclosure of the event in communications media, as well as measures to reverse or mitigate the effects of the incident.

The failure to report a data breach that could cause significant risk or damage to data subjects may subject agents to the administrative sanctions provided under the LGPD. In case the Controller is unable to provide a complete breach notification within the three (3) working days period, the Controller must submit a preliminary notice with the corresponding justification. The preliminary notice must be supplemented as soon as possible and, at the latest, within twenty (20) working days.

It is also important to note that all security incidents must be recorded and kept on file for five (5) years as part of a Security Incident Record, which must include, at a minimum:

The date the controller became aware of the incident
A general description of the circumstances surrounding the incident
The nature and categories of the affected personal data
The number of affected data subjects
A risk assessment and potential damages to data subjects
Measures taken to mitigate the incident (if applicable)
Details of any notifications made to the ANPD or data subjects
The reasons for not notifying the incident (if applicable)

An additional recommendation, which is not legally required, is to implement contractual clauses establishing the obligations regarding notification of breaches between controllers and processors, seeking to expedite the assessment and minimize the risks to the data subjects.

On January 28, 2022, the ANPD published Regulation CD/ANPD 02/2022 which grants to small businesses, startups, and innovative companies, as defined by the law, except to those performing data processing activities which incur in high risks for data subjects the double deadline extension in the communication of security incidents, as well responding to data subjects’ requests, for communicating severe security incidents to the ANPD and affected data subjects, and for responding to ANPD’s requests.

Last modified 28 January 2024

The DPA does not require data controllers to notify the Information Commissioner or the data subjects of personal data breaches.

However, notice requirements apply to data controllers that receive enforcement notices from the Information Commissioner. The DPA requires a public or private body to, as soon as practicable, and in any event within 30 days of complying with an enforcement notice from the Information Commissioner: (i) notify the data subject(s) concerned; and (ii) any person to whom the personal data was disclosed within the twelve months preceding the date of service of the enforcement notice (as determined by the Information Commissioner).

Last modified 28 January 2025

Mandatory Breach Notification

At present no legal requirement save in relation to a "Financial Institution" (i.e. banks, insurance companies, moneylenders, pawnbrokers, moneychangers and securities service providers licensed in Brunei Darussalam).

It is anticipated that under the PDPO, organizations are required to, as soon as practicable, but in any case no later than 3 calendar days after the assessment, notify the Responsible Authority of a data breach that:

results in, or is likely to result in, significant harm to the individuals to whom any personal data affected by a data breach relates; or
is or is likely to be, of a significant scale.

AITI have expressed their intentions to issue guidelines on “significant harm” and “significant scale” in the near future.

Organizations are also anticipated to be required to notify the affected individuals on or after notifying the Responsible Authority if the data breach results in, or is likely to result in, significant harm to an affected individual.

Further, it is anticipated that unreasonable delays in reporting breaches that cannot be justified will be considered a breach of the data breach notification obligation.

Where a data breach is discovered by a data intermediary, it is anticipated that under the PDPO, the data intermediary will be under a duty to notify the organization or the Responsible Authority of the data breach.

A Financial Institution is obliged to report to the Brunei Darussalam Central Bank, no later than 2 hours after confirmation of all instances of cyber intrusion, disruption, malfunction, error or cybersecurity issues on a Financial Institution's system, server, network or end-point which has a severe or widespread impact on the operations and service delivery or has a material impact on the Financial Institution.

Last modified 3 January 2024

EU regulation

Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming aware of the breach (Article 33(2)).

Bulgaria regulation

The Personal Data Protection Act does not derogate from the provisions of the GDPR regarding data breach notification and does not introduce any additional rules or requirements in this respect. Following the direct effect of the GDPR in all EU member states, the provisions of the regulation relating to this matter shall be observed. The Commission for Personal Data Protection adopted an internal framework of instructions for evaluation and assessment of submitted data breaches reports, including a methodology for risk assessment in case of established data breaches. The authority further approved a template of data breach notification, which controllers may use. The template is available online in Bulgarian language only.

Last modified 27 December 2024

Not applicable.

Mandatory breach notification

We have not identified, in the law, any general obligation to notify the data subject in the case of a security breach. However, Article 21 of the law provides that in the event where 'information has been transmitted by mistake to a third party, its rectification or cancellation shall be notified to that third party, unless an exemption is granted by the control authority' (i.e. the CIL).

Last modified 20 January 2025

There are no breach notification requirements in Burundi.

Last modified 17 January 2024

Currently, there is no breach notification requirement under Cambodian law. However, it is anticipated that the requirement for data controllers and data processors to notify the competent authority and the affected data subjects will be enforced once the Draft Law on Personal Data Protection comes into effect.

Last modified 20 January 2025

Once the controller or processor are aware of a personal data breach, he/she must immediately inform the Personal Data Protection Authority and the data subject. The draft of the bill provided for a 72-hour timeline.

Mandatory breach notification

Once the controller or processor are aware of a personal data breach, he/she must immediately inform the Personal Data Protection Authority and the data subject.

Last modified 6 January 2025

Currently, PIPEDA, PIPA Alberta, and the Quebec Private Sector Act are the only Canadian Privacy Statutes ‎with breach notification requirements.‎

In Alberta, an organization having personal information under its control must, without ‎unreasonable delay, provide notice to the Commissioner of any incident involving the ‎loss of or unauthorized access to or disclosure of personal information where a ‎reasonable person would consider that there exists a real risk of significant harm to an ‎individual as a result.‎

Notification to the Commissioner must be in writing and include:‎

A description of the circumstances of the loss or unauthorized access or disclosure
The date or time period during which the loss or unauthorized access or disclosure ‎occurred
A description of the personal information involved in the loss or unauthorized access ‎or disclosure
An assessment of the risk of harm to individuals as a result of the loss or ‎unauthorized access or disclosure
An estimate of the number of individuals to whom there is a real risk of significant ‎harm as a result of the loss or unauthorized access or disclosure
A description of any steps the organization has taken to reduce the risk of harm to ‎individuals
A description of any steps the organization has taken to notify individuals of the loss ‎or unauthorized access or disclosure, and
The name and contact information for a person who can answer, on behalf of the ‎organization, the Commissioner’s questions about the loss of unauthorized ‎access or disclosure

Where an organization suffers a loss of or unauthorized access to or disclosure of ‎personal information as to which the organization is required to provide notice to the ‎Commissioner, the Commissioner may require the organization to notify the individuals ‎to whom there is a real risk of significant harm. This notification must be given directly ‎to the individual (unless specified otherwise by the Commissioner) and include:‎

A description of the circumstances of the loss or unauthorized access or disclosure
The date on which or time period during which the loss or unauthorized access or ‎disclosure occurred
A description of the personal information involved in the loss or unauthorized access ‎or disclosure
A description of any steps the organization has taken to reduce the risk of harm, ‎and
Contact information for a person who can answer, on behalf of the organization, ‎questions about the loss or unauthorized access or disclosure

The Commissioner has recently changed its practices to recognize that most organizations who report a breach have already issued notice to the affected individual. The Commissioner will now generally only issue direction if the notice to the affected individual is deemed insufficient or if there is another material issue arising from the breach report.

The breach notification provisions under PIPEDA are very similar to the breach ‎notification provisions under PIPA Alberta. PIPEDA requires organizations to notify both the affected individuals and the federal regulator if the breach creates a real risk of significant harm to the individuals. Further, under PIPEDA, organizations must also ‎keep a record of ALL information security incidents, even those which do not meet the ‎risk threshold of a 'real risk of significant harm.'

The Quebec Private Sector Act, as modified by Bill 64, introduced a number of new obligations in ‎connection with 'confidentiality incidents,' which are defined as unauthorized access, use, or communication of personal ‎information, or the loss of such information, which were previously absent in Quebec privacy law‎. These include:‎

A general obligation to ‎prevent, mitigate and remedy security incidents
The obligation to notify the CAI and the person affected ‎whenever the incident presents a risk of ‎‎'serious ‎injury.' Factors to consider when evaluating the ‎risk of serious injury include the sensitivity of the ‎information ‎concerned, the anticipated consequences of the ‎use of the information and the likelihood ‎that the information will ‎be used for harmful purposes. Although the Quebec Private Sector Act requires organizations to act 'promptly' and 'with diligence' in response to confidentiality breaches, it does not provide specific timeframes within which such notifications must be made, and
The obligation on to keep a register of confidentiality ‎incidents, with the CAI having extensive audit rights. The obligation to record confidentiality incidents in the register applies even if the organization has established that the 'serious injury' threshold has not been met.

Where an organization suffers a confidentiality incident and it is determined that disclosure to the CAI is required on the basis that there is a risk of “serious injury”, the written breach report must include:

The name of the body affected and any Québec business number assigned to such body
The name and contact information of the person to be contacted in that body with regard to the incident
A description of the personal information covered by the incident or, if that information is not known, the reasons why it is impossible to provide such a description
A brief description of the circumstances of the incident and what caused it, if known
The date or time period when the incident occurred or, if that is not known, the approximate time period
The date or time period when the body became aware of the incident
The number of persons concerned by the incident and the number of those who reside in Québec or, if that is not known, the approximate numbers
A description of the elements that led the body to conclude that there is a risk of serious injury to the persons concerned, such as the sensitivity of the personal information concerned, any possible ill-intentioned uses of such information, the anticipated consequences of its use and the likelihood that such information will be used for injurious purposes;
The measures the body has taken or intends to take to notify the persons whose personal information is concerned by the incident, and the date on which such persons were notified, or the expected time limit for the notification
The measures the body has taken or intends to take after the incident occurred, including those aimed at reducing the risk of injury or mitigating any such injury and those aimed at preventing new incidents of the same nature, and the date or time period on which the measures were taken or the expected time limit for taking the measures, and
If applicable, an indication that a person or body outside Québec that exercises similar functions to those of the CAI with respect to overseeing the protection of personal information has been notified of the incident.

Where the risk of 'serious injury' has been established, affected individuals must also be notified. This notice must be provided directly to affected individuals, subject to certain limited exceptions, and include:

A description of the personal information covered by the incident or, if that information is not known, the reasons why it is impossible to provide such a description
A brief description of the circumstances of the incident
The date or time period when the incident occurred or, if that is not known, the approximate time period
A brief description of the measures the body has taken or intends to take after the incident occurred in order to reduce the risks of injury
The measures that the body suggests the person concerned take in order to reduce the risk of injury or mitigate any such injury, and
The contact information where the person concerned may obtain more information about the incident

Last modified 26 January 2023

There is a duty to notify CNPD in case of a data breach no later than 72 hours after becoming aware of the same, unless it is considered that such breach does not pose a risk to the rights, freedoms and warranties of the data subjects.

Last modified 16 January 2025

The DPA contains a general requirement for a personal data breach to be notified by the data controller to the Ombudsman and the relevant data subject(s). A personal data breach is a wide concept, defined as 'a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed'.

The data controller must notify a breach to the relevant data subject(s) and the Ombudsman without undue delay, and in any case no longer than five days after the data controller should, with the exercise of reasonable diligence, have been aware of the breach.

The same rules apply where a breach occurs at the level of a data processor. Accordingly, data controllers should contractually require their data processors to notify the data controller of a breach in a timely manner.

The notification must describe the nature of the breach, the consequences of the breach, the measures proposed to be taken by the data controller to address the breach and the measures recommended by the data controller to the relevant data subject(s) to mitigate the possible adverse effects of the breach.

Last modified 28 January 2025

Breach of the provisions of Personal Data Act including breach notification is subject to following administrative sanctions by the ANSICE:

A warning to the data controller who does not comply with the obligations arising from the Law;
A formal notice to put an end to the breaches concerned within the time limit which it fixes;
Penalties in accordance with the observed shortcomings;
Interruption of treatment for a maximum of three years;
Blocking for a maximum of three months of certain processed personal data; or
Temporary or permanent prohibition of processing contrary to the provisions of the Act.

(Article 8 Article 8 of Act No. 006/PR/2015 on the creation of the National Agency for Computer Security and Electronic Certification)

In addition, a judge can take the following sanctions in case of breach notification:

Imprisonment from between 1-5 years;
Fines between XAF 1 million to XAF 10 million.

(Article 438 of the Criminal Code)

Mandatory breach notification

No mandatory breach notification protocol is provided under Chadian law.

Last modified 6 January 2025

There is no obligation to report a data breach.

Last modified 28 January 2023

Breach notification requirements are contained in the CSL, DSL and PIPL, and should be read together. "Network security incidents" that are notifiable are defined by reference to seven categories of different incident types, in particular:

Malicious program incidents;
Network attack incidents;
Data security incidents;
Information content security incidents;
Equipment and facility failure incidents;
Operational violation incidents;
Security risk incidents;
Abnormal behavior incidents;
Force majeure incidents; and
Other cyber incidents.

Guidelines set out other factors that should be considered whether a network security incident is potentially reportable. The China National Internet Emergency Center may be contacted in case of doubt as to whether an incident is potentially reportable.

An incident must be immediately notified: (i) internally, to the DPO; and (ii) externally, to the regulator (the PIPL refers to the CAC establishing (local) "personal information protection departments" (PIPD) for such purposes, but this is yet to be confirmed), and should include:

affected data categories;
reasons for the incident, and potential consequences;
remedial measures, and mechanisms required by data controller to minimize impact; and
contact information for data controller.

If the data controller can effectively avoid the disclosure, loss or tampering of data, the PIPL suggests that there is no need to notify data subjects. Otherwise (and as per the CSL and DSL) data subjects must be notified immediately if the actual or suspected network security incident may result in harm to the rights and interest of the affected data subjects. Further, if the PIPD believes it may cause impact to individuals, they may request that the data controller notifies individuals. Similar information must be given to the data subjects alongside advice on how to protect against risks arising from the incident.

Notably, the Network Data Security Management Regulation (intended to supplement the PIPL) clarifies that an incident that could harm national security or public interests must be reported to the authorities within 24 hours of identification.

Organizations should also adopt proactive measures to minimize the risk of personal information breaches or security incidents, including but not limited to, implementing and testing a data incident contingency plan and organizing training.

Further changes are also expected in this regard. We understand the regulators are working on a project to publish further guidelines as to how network security incidents should be managed. On 8 December 2023, the CAC released the Draft Administrative Measures on Cybersecurity Incident Reporting to solicit public opinions.

For security incidents in the field of industry and information technology, the Ministry of Industry and Information Technology published the Emergency Plan for Data Security Incidents in the Field of Industry and Information Technology (for Trial Implementation) on October 29, 2024, which is effective from November 1, 2024. This Emergency Plan provides new mechanisms to classify cybersecurity incidents and new reporting obligations for data handlers in the field of industry and information technology.

Last modified 20 January 2025

In accordance with Chapter 2, Title V of the Sole Circular issued by the SIC, a data breach refers to the violation of security codes or to the loss and unauthorized access of data subjects’ information held in a database managed by data controllers or data processors.

Under section 17. and section 18. of Law 1581, both the data controller and the data processor have a duty to notify the authority (SIC) in case of a breach of security, security risk, or a risk for data administration. Such notification shall be made no later than fifteen (15) business days from the date on which the data breach was detected.

Lastly, the Colombian data protection regime does not provide a threshold for data breach notifications. Hence, if there is a violation to the security codes or a risk in the management of data subjects’ information, data controllers and data processors must notify the breach.

Last modified 28 January 2024

There is no legal requirement to notify data breaches to ARTCI.

Last modified 6 January 2025

Any entity managing personal data must inform PRODHAB and affected data subjects about any breach of personal information (such as loss, destruction, or misplacement), within five business days after the time of the breach.

The notification to PRODHAB and data subjects must at least include the following information:

Nature of the breach;
Personal data compromised by the breach;
Immediate corrective actions taken by the entity;
Other preventive and corrective actions that will be taken;
Contact information to obtain further information.

Failure to provide notice within the required timeframe may result in a potential fine to be enforced by PRODHAB.

Last modified 28 January 2025

EU regulation

Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming aware of the breach (Article 33(2)).

Croatia regulation

The Act does not contain any special breach notification requirements other than those prescribed by the GDPR.

Last modified 16 January 2025

The Ministry of Communications, in coordination with other authorities, establishes the Program for Strengthening Cybersecurity and coordinates participation in activities required for this purpose and implements its control and inspection.

The Cuba rules introduced a general requirement for the reporting and notification of actual or suspected personal information breaches. Where personal information is leaked, lost or distorted (or if there is a potential for such incidents), organisations must promptly take relevant measures to mitigate any damage and notify the relevant data subjects and report to the relevant government agencies in a timely manner in accordance with relevant provisions.

Mandatory breach notification

All breaches must be reported according to a four-level security scheme.

Last modified 16 February 2022

National Ordinance Personal Data Protection

Contains no specific clauses.

GDPR

In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with article 55 GDPR, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

Last modified 10 February 2025

EU regulation

Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming aware of the breach (Article 33(2)).

Cyprus regulation

According to the Law, the data controller may be exempted, in whole or in part, from his obligation to notify data subjects for breaches of personal data for one or more of the purposes listed in Article 23(1) of the GDPR, including inter alia, national security, defense, public security, prevention, investigation, detection or prosecution of criminal offences etc. In order for the foregoing to apply, an impact assessment and a prior consultation with the Commissioner need to be conducted. The Commissioner may also set out specific terms and conditions for such exemption.

Last modified 21 February 2022

Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming aware of the breach (Article 33(2)).

Last modified 16 January 2024

The person responsible for the data protection or Data Protection Officer, if one was designated, must notify the APD without delay of any personal data breach that has affected one’s personal data.

Any person who considers that his / her personal data have been misused or used without consent shall have the right to lodge a complaint with the APD. The APD shall inform the person lodging the complaint of the progress and outcome of the complaint, including the possibility of judicial remedy.

It is unclear at this stage how a notification must be performed as the decree organising the APD has not yet been drafted nor adopted.

Mandatory breach notification

Not applicable.

Last modified 6 January 2025

EU regulation

Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming aware of the breach (Article 33(2)).

Denmark regulation

The Danish Data Protection Act does not set out provisions on notification in case of security breach. Thus, the articles of the GDPR apply, under which the data must notify the DPA no later than 72 hours after becoming aware of the security breach.

Breaches can be reported to the Danish Data Protection Agency by filling out a form on the Danish Business Authority’s website.

Further, if the security breach is likely to expose the data subject to risk related to its rights and civil rights, the data controller shall notify the data subject without unnecessary delay.

Last modified 16 January 2025

There is no obligation to provide notice of a breach.

Last modified 28 January 2025

Mandatory breach notification

Data controllers or the individual in charge of the treatment of personal data must notify the breach of personal security data to the Personal Data Protection Authority and the Telecommunication Control Agency, as soon as possible, and at the latest within a term of five (5) days after the occurred breach incident, unless it is unlikely that said breach of security constitutes a risk to the rights and freedoms of its individual owners. If the notification to the Data Protection Authority does not take place within five (5) days, it must be accompanied by an indication of the reasons for the delay.

According to the Regulation to the Personal Data Protection Organic Law, the following circumstances are deemed a risk to the rights and freedoms of persons:

When the data have been destroyed, no longer exist or are not available in a form that is useful to the data controller.
When the personal data have been altered, corrupted or are no longer complete.
When the controller has lost control or access to the data, or the data is no longer in its possession.
When the processing has not been authorized or is unlawful, which includes the disclosure of personal data or access by recipients or third parties who are not authorized to receive or have access to the data, or any other form of processing that is executed contrary to the provisions of the Law.

The data breach notification must provide for the following aspects:

The nature and type of breach.
Data owners or interested parties affected.
Breached systems.
Presumed cause of the breach.
Volume and types of compromised or exposed data.
Response and mitigation measures.
Risk assessment for the rights and freedoms of the data owners.

Data controllers or the individual in charge of the treatment of personal data must notify the person in charge of any violation of the security of personal data as soon as possible, and at the latest within a term of two (2) days from the date on which he becomes aware of it.

The person responsible for the treatment must notify the owner of the breach of personal data security without delay when it entails a risk to their fundamental rights and individual freedoms, within a term of three (3) days from the date on which they became aware of the risk.

Last modified 28 January 2025

Pursuant to Article (7) of the Law, each of the controller and the processor, as the case may be, shall notify the Centre with any personal data infringement, within seventy-two (72) hours of such infringement. In the event that such infringement relates to national security protection concerns, the notification shall be immediate. In all events, the Centre shall immediately notify the National Security Authorities with the infringement and provide them, within seventy-two (72) hours from being aware of the infringement, with the following:

description of the nature of the infringement, the form and the reasons thereof as well as the approximate number of personal data and their records;
the information of the DPO;
the potential consequences of the infringement;
description of the procedures which have been followed and the proposed procedures to be adopted in order to minimize the negative impacts of the infringement;
evidence of documenting any personal data infringement and the corrective actions which have been taken to solve it; and
any documents, information or data requested by the Centre.

In all events, the Controller and Processor, as the case may be, shall notify the data subject within three (3) days from the date of notifying the Centre, with the infringement and the adopted procedures related thereto.

The Law defines the National Security Authorities as the Presidency, Ministry of Defence, Ministry of Interior, the General Intelligence Directorate, and the Administrative Control Authority.

Last modified 19 January 2024

Breach notification is not regulated.

Last modified 28 January 2024

The breach of notification constitutes a minor infringement when the data was obtained from the person concerned (art. 39 C) and a major infringement when the data was not obtained from the person concerned (art. 40 C).

Mandatory breach notification

The law does provide for a mandatory breach duty. Notwithstanding, it provides that in the case of a severe or major breach likely to affect a fundamental right or personal data the sanctioning organ may require the person responsible to restrain the use, communication, give out, or the illegal transfer.

Last modified 6 March 2025

EU regulation

Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming aware of the breach (Article 33(2)).

Estonia regulation

The PDPA and the Implementation Act do not foresee any derogations / additional requirements to the GDPR.

Last modified 16 January 2025

There is no general breach notification requirement in Ethiopia.

However, the Computer Crime Proclamation No. 958/2016 requires service providers with knowledge that a crime stipulated by the Proclamation (including breach of privacy via unauthorized access) has been committed by a third party through the computer system it administers to immediately notify the Information Network Security Agency, report the crime to police, and take appropriate measures.

Ethiopian Communications Authority’s Sim Card Registration Directive under Article 24 obliges a telecommunication operator to notify the Ethiopian Communications Authority of any data breach that compromises subscribers’ information within seven (7) business days from discovery of the breach. The operator shall also notify the affected subscriber of such breach.

Last modified 12 January 2023

None.

Last modified 31 January 2023

No applicable laws.

Last modified 3 January 2024

EU regulation

Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming aware of the breach (Article 33(2)).

Finland regulation

In Finland the general breach notification procedure follows the rules set by GDPR.

Personal data breaches must be reported to the Office of the Data Protection Ombudsman. The report can be made to the Office of the Data Protection Ombudsman through their website.

However, certain special national legislation does include additional requirements on breach notifications. The Act on Electronic Communication Services establishes an obligation for telecommunications operators to notify their subscribers, users and the Finnish Transport and Communications Authority (‘Traficom’) of significant information security violations or threats and of anything else that prevents or significantly interferes with communication services. In addition, under the Act on Electronic Communication Services, domain name registrars shall notify Traficom without undue delay of significant violations of information security in its domain name services and of anything that essentially prevents or disturbs such services.

The Act on Strong Electronic Identification and Electronic Signatures (2009/617) (Laki vahvasta sähköisestä tunnistamisesta ja sähköisistä luottamuspalveluista) also states that an electronic identification service provider shall notify service providers using its services, identification device holders as well as Traficom of severe risks and threats to its data security.

Last modified 4 January 2023

EU regulation

Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming aware of the breach (Article 33(2)).

France regulation

Article 85 of the Decree restricts the obligation of notification under Article 34 of the GDPR for the following processing:

Processing including personal data allowing to identify, directly or indirectly, individuals whose identity is protected under Article 39 sexies of the French law on the freedom of the press; and
Administrative, financial and operational data, as well as health data processing for which the notification of an unauthorized disclosure or access is likely to result in a risk for the national security, defense or public, due to the volume of data affected by the breach and the private information it contains (such as the family address or composition).

Last modified 5 January 2025

There is a legal requirement to notify data breaches to APDPVP. For more details please refer to "Mandatory Breach Notification" below.

Mandatory breach notification

Under article 142 of the Data Protection Act, in the event of a data breach, the data controller is required to notify the Personal Data Protection and Privacy Authority (APDPVP) without delay. This notification must include the nature of the breach, the categories and approximate number of persons concerned, the measures taken or envisaged to remedy the breach, and the contact details of the Data Protection Officer or another contact point for further information.

In addition, if the breach is likely to result in a high risk to the rights and freedoms of the data subjects, the data controller must inform the data subject individually as soon as possible, as specified in article 145 of the aforementioned law. This communication must be made in clear and simple terms, describing the nature of the breach and providing the information and measures necessary to remedy the situation, in accordance with article 146 of the aforementioned law.

However, there are specific cases where communication to the data subject is not necessary, as provided for in Article 147 of the aforementioned Data Protection Act. These cases include, in particular, where the data controller has taken measures to protect the data affected by the breach, has taken preventive measures against any high risk to the rights and freedoms of the data subjects, or finds that communication would require disproportionate efforts. In such cases, the controller must make a public announcement or take a similar measure enabling the data subjects to be informed in an equally effective manner.

Last modified 6 January 2025

As already outlined above (Registration Chapter), a controller is obliged to register an incident, its resulting outcome, the measures taken, and to notify the Personal Data Protection Service about the incident, not later than 72 hours after the identification of the incident, in writing or electronically, except for the case where it is least expected that the incident would cause significant damage and / or pose a significant threat to fundamental human rights and freedoms. A processor is obliged to notify a controller immediately about an incident.

The respective notification as referred to above shall contain the following information on:

the circumstances, type and time of the incident;
the possible categories and volume of data that have been disclosed, damaged, deleted, destroyed, obtained, lost, or altered in a non-authorized manner as a result of the incident, as well as the possible categories and number of data subjects that have been exposed to a threat as a result of the incident;
the measures taken or planned by a controller for mitigating or eliminating any possible damage caused by the incident;
whether or not, and within what time frame, a controller plans to notify a data subject(s) about the incident;
the data of a personal data protection officer or other contact persons.

if it is impossible to provide the information provided for above entirely and in full, a controller has a right, in agreement with the Personal Data Protection Service, to provide the information gradually, within a reasonable period.

The criteria for identifying an incident posing a significant threat to fundamental human rights and freedoms as provided above, and the procedure for notifying the Personal Data Protection Service about the incident, is established by a normative act of the head of the Personal Data Protection Service. According to the said normative act, types of incidents include:

Breach of confidentiality – Unauthorized disclosure of or access to personal data;
Breach of integrity – Unauthorized alteration of personal data, as well as unlawful or accidental damage, loss, or destruction;
Breach of availability – Loss of access to, restriction of access to, destruction, or deletion of personal data.

In addition to notifying the Personal Data Protection Service, If there is a high probability that an incident will cause significant damage and / or pose a significant threat to fundamental human rights and freedoms, a controller is obliged to inform a data subject about the incident immediately, or without unreasonable delay, after the identification of the incident, and to provide, in a simple and understandable language, the following information on:

a general description of the incident and the related circumstances;
the possible / resulting damage caused by the incident, and the measures taken or planned in order to mitigate or eliminate the damage;
the contact details of the personal data protection officer or other persons.

If informing a data subject requires disproportionately great efforts, expenses and time, a controller is obliged to make public the information provided for above or to disseminate it in another form that ensures the possibility of the data subject receiving the information. This obligation shall not arise where one of the following circumstances exists; namely if:

informing a data subject on the incident poses a threat to the interests of the protection of state secrets, the interests of state security, information security and cyber security and / or defense, the interests of public safety, crime prevention, operative and investigative activities, a criminal investigation, a criminal prosecution, the administration of justice, the enforcement of detention and imprisonment, the execution of non-custodial sentences or probation, interests related to financial or economic (including monetary, budgetary, and taxation) matters, public health and social protection that are essential for the country;
if a controller has taken appropriate security measures that have resulted in the prevention of a significant risk of violation of fundamental human rights and freedoms.

Last modified 6 January 2025

EU regulation

Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming aware of the breach (Article 33(2)).

Germany regulation

Personal data breaches should be notified to the competent supervisory authority. The German supervisory authorities generally make available specific web forms for notifications and some of them have published risk rating requirements for personal data breach notifications.

The German BDSG only contains slight changes and additions to the regulations in Article 33, 34 GDPR.

Section 29 (1) BDSG stipulates in addition to the exception in Article 34 (3) GDPR, the obligation to inform the data subject of a personal data breach according to Article 34 GDPR shall not apply as far as meeting this obligation would disclose information which by law or by its nature must be kept secret, in particular because of overriding legitimate interests of a third party. By derogation from this, the data subject pursuant to Article 34 GDPR shall be informed if the interests of the data subject outweigh the interest in secrecy, in particular taking into account the threat of damage.

According to Section 43 (4) BDSG, a notification pursuant to Article 33 GDPR or a communication pursuant to Article 34 (1) GDPR may be used in proceedings pursuant to the Act on Regulatory Offences (Gesetz über Ordnungswidrigkeiten – "OWiG") against the person required to provide a notification or a communication only with the consent of the person obligated to provide a notification or a communication.

Last modified 16 January 2025

Where there are reasonable grounds to believe that the personal data of a data subject has been accessed or acquired by an unauthorised person, the data controller or a third party who processes data under the authority of the data controller shall notify the Commission and the data subject of the unauthorised access or acquisition as soon as reasonably practicable after the discovery of the unauthorised access or acquisition of the data. The data controller shall take steps to ensure the restoration of the integrity of the information system.

The data controller shall delay the notification to the data subject where the security agencies or the Data Protection Commission inform the data controller that the notification will impede a criminal investigation.

Last modified 19 January 2024

The Gibraltar GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority, and for more serious breaches to also be notified to affected data subjects. A "personal data breach" is a wide concept, defined as any "breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed" (Article 4).

Mandatory breach notification

The controller must notify a breach to the supervisory authority without undue delay, and where feasible, not later than 72 hours after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and freedoms of natural persons. When the personal data breach is likely to result in a high risk to natural persons, the controller is also required to notify the affected data subjects without undue delay (Article 34).

Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming aware of the breach (Article 33(2)).

Personal data breaches should be notified to GRA as Gibraltar's supervisory authority. Breaches must be reported to the GRA using their Data Breach Notification Form available on their website and sent by email to [email protected].

Last modified 19 January 2024

EU regulation

Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming aware of the breach (Article 33(2)).

Greece regulation

The Greek Data Protection Law does not derogate from the provisions of the GDPR.

It is worth noting, however, that it provides for an additional exception from the obligation to communicate data breaches to the data subject under Article 34 GDPR. Article 33 (5) of the Greek Data Protection Law provides that in addition to the exception established in Article 34 (3) GDPR, the obligation to communicate a personal data breach to the data subject does not apply when such notification would lead to disclosure of information which must be kept confidential by operation of law or due to their nature, unless the data subject’s interests take precedence.

Further, according to the Hellenic Data Protection Authority (“HDPA”), the procedure to be followed for a Data Breach Notification is the following:

The Controller may complete the relevant form and submit it to the HDPA electronically via its web portal;
By way of exception, as regards entities that are not established in Greece, the notification of the data breach procedure may be made via email.

Parallel application of data protection and cybersecurity law

According to Article 27 (1) of the Greek Cybersecurity Law, where the National Cybersecurity Authority, acting in the context of its supervisory and enforcement powers, finds that a breach of the minimum cybersecurity requirements of Articles 15 and 16 of the Greek Cybersecurity Law (cybersecurity management measures or incident reporting requirements) involves a personal data breach as defined in Article 4(12) of GDPR, which must be notified in accordance with Article 33 of that Regulation to the Hellenic Data Protection Authority (‘HDPA’), the National Cybersecurity Authority shall inform the HDPA without undue delay.

Last modified 16 January 2025

Breach Notification is not regulated, however, Art. 17 of the Law on Access to Public Information stipulates that the person consulting public information must give notice to the relevant authority of the destruction or misuse of public information.

Mandatory breach notification

Mandatory Breach Notification is not regulated.

Last modified 21 December 2021

What is a breach?

The DPL 2017 defines a 'personal data breach' as a "breach of security leading to the (a) accidental or unlawful destruction, loss, or alteration of; or, (b) unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed".

This definition replicates the definition set out in Article 4 of the GDPR.

Notice to ODPA

As with the GDPR, the DPL 2017 requires all controllers, upon becoming aware of a personal data breach to provide written notice to the ODPA as soon as practicable and no later than 72 hours after becoming so aware. Section 42(5) of the DPL 2017 provides an exemption from the duty to notify the ODPA where the personal data breach is "unlikely to result in any risk to the significant interests of the data subject".

In determining whether or not there is a risk, the ODPA's guidance entitled 'Notification of Personal Data Breaches' ("Breach Guidance") advises organisations who process personal data to consider the type of personal data they hold and whether any breach could, both at the time of the breach and in the future, 'adversely affect an individual' taking into consideration the potential for financial loss, reputational damage, or identity fraud.

The DPL 2017 stipulates the sort of information which must be provided to the ODPA in the event of such a breach including a description of the nature of the personal data breach, contact details of the DPO or contact point, a description of the likely consequences of the breach, a description of the measures taken or proposed to be taken to address risks and mitigate against possible adverse effects and an explanation of any delays (where a breach has been notified after 72 hours).

All breaches which must be notified to the ODPA can be submitted to the ODPA via their online secure breach reporting facility.

In any case, whether a personal data breach is notified to the ODPA or not, the controller must keep a written record of each personal data breach of which the controller is aware, including the facts relating to the breach, the effects, the remedial action taken and any steps taken by the controller to comply with its notification obligations (including a copy of the notice provided to the ODPA).

Notice to data subjects

Where a controller becomes aware of a personal data breach that is likely to pose a "high risk to the significant interests of a data subject", the controller must give the data subject written notice of the breach as soon as possible.

The Breach Guidance provides a non-exhaustive of factors for controllers to take into account when determining whether a breach poses a 'high risk'. Whilst financial loss, reputational damage and identity fraud must be considered, the Breach Guidance also includes the risk of whether the breach might have an adverse impact of safety or wellbeing of the data subject (including psychological distress or humiliation). When assessing the risks, the ODPA expects all controllers to consider the nature, scope, context and purpose of the compromised personal data, including whether special category data had been compromised.

Any notice given to an affected data subject must include a description of the nature of the breach, the name and contact details of the DPO or point of contact, a description of the likely consequences of the breach, and a description of the measures taken or proposed to be taken by the controller to address the breach.

A controller is exempt from the requirement to notify a data subject where it has:

established and carried out appropriate technical and organisational measures to protect personal data and, in particular, those measures have rendered personal data unintelligible to any person who is not authorised to access it (e.g. encryption); or
taken subsequent measures to mitigate the risk, such that the 'high risk' is no longer likely to materialise, or where the performance of the duty would involve 'disproportionate effort'.

Whilst the Breach Guidance does not define what will amount to 'disproportionate effort to notify', it clarifies that a controller must nonetheless publish a notice (without making public any personal data) or take any other step equivalent to publication in order to inform the data subjects in an equally effective manner.

Notice to controller (where a processor is engaged)

The responsibility for reporting a personal data breach to the ODPA rests with the controller. However, where a processor becomes aware of a personal data breach, the processor must give the controller notice as soon as practicable. Where notice is given orally, written notice must follow at the first available opportunity.

Other regulatory notification requirements

Guernsey's European Communities (Implementation of Privacy Directive) (Guernsey) Ordinance 2004 (as amended) ("e-Privacy Ordinance") requires a provider of a public electronic communications service (the 'service provider') to notify subscribers of a significant risk to the security of the service.

A regulated financial entity must notify the Guernsey Financial Services Commission (the GFSC), as soon as reasonably practicable, upon becoming aware of a cyber security event which has resulted in:

any loss of significant user data;
significant loss of availability to IT systems;
significant cost to the business;
significant loss of business capability;
significant loss of service to users.

The GFSC does not require licensees to inform them of a data breach unless the data breach is as a result of a cyber security event. However, if a data breach results in the licensee not being able to comply with its regulatory requirements, the GFSC should be notified. Legal advice should be obtained on whether the data breach requires a licensee to notify the GFSC – it may not be required as a matter of course.

Last modified 16 January 2025

Law on Cybersecurity and Personal Data Protection provides that the authority in charge of personal data protection may pronounce the following measures against the Data controller:

A warning to the said controller who does not comply with the obligations resulting from the Law on cybersecurity and Personal Data Protection to which he is subject;
A formal notice or summons to cease or to cease the breaches noted, within the time limit set by said protection authority.

Last modified 20 December 2021

The law does not regulate how breach of data should be handled. However, any communication of personal data (including breaches) can be subject to criminal and administrative lawsuits.

Mandatory breach notification

No regulation on the matter.

Last modified 16 January 2025

Breach notification is not required.

Last modified 10 February 2025

There is no statutory definition of a data breach under the Ordinance. However, under the non–binding guidance issued by the PCPD, data breach is defined as a “suspected breach of data security of personal data held by a data user, exposing the data to the risk of unauthorized or accidental access, processing, erasure, loss or use.”

Currently there is no mandatory requirement under the Ordinance for data users to notify authorities or data subjects about data breaches in Hong Kong. However, according to non‑binding guidance issued by the PCPD (last updated in June 2023), as a matter of best practice the PCPD encourages notification to the PCPD and to the affected data subjects as soon as practicable after becoming aware of the data breach, particularly if the data breach is likely to result in a real risk of harm to affected data subjects. Specifically, the non‑binding guidance recommends that organizations should follow the following key steps in order when handling a data breach:

immediate gathering of essential information;
containing the data breach;
assessing the risk of harm;
considering giving data breach notifications; and
documenting the breach.

To assist organizations in reporting data breach incidents to the PCPD more effectively and in a more convenient manner, the PCPD provides an e-Data Breach Notification Form on its website.

Past high profile data incidents in recent years have led regulators and politicians to consider introducing more stringent breach notification rules. The PCPD has already hinted at increased use of compliance checks and greater publication of investigation reports as part of "fair" enforcement of the law. The January 2020 Consultation Paper proposed mandatory breach notification requirement for organizations to notify a data incident to both the PCPD and the impacted data subjects within the prescribed period where there is a real risk of significant harm. The PCPD’s Report issued in February 2023 and the Panel Meeting Summary published in February 2024 also indicated that establishing a mandatory data breach notification mechanism would be one of the upcoming amendments.

Last modified 20 January 2025

Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming aware of the breach (Article 33(2)).

Last modified 11 January 2024

EU regulation

Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming aware of the breach (Article 33(2)).

Iceland regulation

A personal data breach is defined in the DPA as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.

Regarding the security of the processing and notification of a personal data breach, Articles 32, 33 and 34 of the GDPR are implemented into Icelandic national legislation via Article 27 of the DPA, without any alterations.

In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the Data Protection Authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the Data Protection Authority is not made within 72 hours, it shall be accompanied by reasons for the delay. Furthermore, the processor shall notify the controller without undue delay after becoming aware of a personal data breach.

Where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

The Icelandic Data Protection Authority has issued guidelines for notifications of personal data breaches which are based on the instructions of the Article 29 Working Party and all such breaches, which are subject to the notification requirement, shall be notified to the Data Protection Authority via a centralized reporting portal.

Last modified 16 January 2025

Under the DPDP Act, in the event of a personal data breach, a Data Fiduciary is required to inform each affected Data Principal and the Board. The Draft Rules prescribe the manner in which the notification is required to be made (including the time period and the details required to be contained).

Personal data breach is broadly defined under DPDP Act as any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction of or loss of access to personal data, that compromises the confidentiality, integrity, or availability of personal data.

Therefore, Data Fiduciaries are required to report all types of personal data breaches, regardless of the sensitivity of the breach or its impact on the Data Principal. Under the DPDP Act, neither materiality thresholds nor express timelines have been prescribed for the reporting requirement.

The DPDP Act is not the sole regulation imposing reporting requirement for data breaches. The existing cybersecurity framework also mandates reporting of cybersecurity incidents, which may include personal data breaches, to the Cert-In. In the absence of any conflicting information, both sets of regulations will be applicable.

The Government of India has established and authorized the Cert-In to collect, analyze and disseminate information on cyber incidents, provide forecasts and alerts of cybersecurity incidents, provide emergency measures for handling cybersecurity incidents and coordinate cyber incident response activities. The Information Technology (the Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (Cert-In Rules) along with the Cyber Security Directions impose mandatory notification requirements on service providers, intermediaries, data centers and corporate entities, upon the occurrence of certain cybersecurity incidents.

Cyber security incidents have been defined to mean any real or suspected adverse events, in relation to cybersecurity, that violate any explicitly or implicitly applicable security policy, resulting in:

unauthorized access, denial or disruption of service;
unauthorized use of a computer resource for processing or storage of information;
changes to data or information without authorization.

Under the Cyber Security Directions, the occurrence of the following types of cybersecurity incidents are to be reported:

targeted scanning / probing of critical networks / systems;
compromise of critical systems / information;
unauthorized access of IT systems / data;
defacement of website or intrusion into a website and unauthorized changes such as inserting malicious code, links to external websites, etc;
malicious code attacks such as spreading virus / worm / trojan / bots / spyware / ransomware / cryptominers;
attack on servers such as databased, Mail and DNS and network devices such as routers;
identity theft, spoofing and phishing attacks;
denial of service and distributed denial of service attacks;
attacks on critical infrastructure, SCADA and operation technology systems and wireless networks;
attacks on applications such as e-governance, e-commerce, etc;
data breach;
data leak;
attacks on internet of things devices and associated systems, networks, software and servers;
attacks or incident affects digital payment systems;
attacks through malicious mobile applications;
fake mobile applications;
unauthorized access to social media accounts;
attacks or malicious / suspicious activities affecting cloud computing systems / servers / software / applications;
attacks or malicious / suspicious activities affecting systems / servers / networks / software / applications related to Big Data, block chain, virtual assets, virtual asset exchanges, custodian wallets, robotics, 3D and 4D printing, additive manufacturing, drones;
attacks or malicious / suspicious activities affecting systems / servers / software / applications related to artificial intelligence and machine learning.

These incidents can be reported to Cert-In via (i) email ([email protected]), (ii) phone (1800-11-4949), or (iii) fax (1800-11-6969). The reporting methods and formats are available at www.cert-in.org.in and will be updated from time to time. The compliance obligations under the Cyber Security Directions extend to all entities which have computer systems, networks and / or resources in India, irrespective of whether the entity is incorporated in or outside India.

Data Fiduciaries may review their data breach reporting protocols and assess each incident in accordance with the guidelines outlined in the DPDP Act and the Cert-In Rules to ascertain whether it necessitates reporting under either or both regulatory frameworks.

Last modified 6 January 2025

The PDP Law contains a general requirement for a personal data breach to be notified by the controller to both (i) the affected personal data subjects and (ii) the PDP Agency, and for more serious breaches which would disturb public services and / or significantly affect the public interest, to also be notified to the public.

Personal data breach is a wide concept, which under the PDP Law is referred to as a "personal data protection failure" and defined as any "failure in protecting a person’s personal data in terms of confidentiality, integrity, and availability of the personal data, including security breaches, whether intentional or unintentional, which lead to the unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or processed".

The PDP Law stipulates that in the event of such a personal data protection failure, the personal data controller must deliver a written notification within 72 hours.

The PDP Law provides guidelines on the required content of the written notification, which must at least include:

a description of the personal data that was breached;
when and how the personal data was breached; and
the efforts undertaken by the personal data controller to mitigate the effects of the data breach and recover affected personal data.

However, until the PDP Agency is formed and operating, data breach notifications should continue to be submitted to the KOMDIGI and other relevant institution(s) pursuant to General Data Protection Regulations, as follows:

Reporting obligations to relevant authorities

If there is a serious system interference or failure caused by acts of a third party on its electronic system, a report shall be made immediately and at a first instance to:
- a law enforcement official (in practice, mostly if the breach is suspected to contain matters related to cybercrimes); and
- the relevant Ministry or Agency (namely Directorate General for Informatics Application (Direktorat Jenderal Aplikasi Informatika or commonly abbreviated as "DITJEN APTIKA")) , and if required (often also as a matter of custom / courtesy) its specific sector’s authority.

However, there is no specific definition or elucidation provided on what "immediately" or "first instance" shall mean. In practice, typically, such an event would be reportable if there is certain loss, namely where the impact due to failure of the electronic system has legal consequence to the user, operator and other parties, both material and immaterial.

On the content / coverage of the report, there is no specific minimum information prescribed, except that the electronic system operator / PSE (data controller / processor), shall also take the necessary measures to secure the electronic information / document under its control.

However, in practice and pursuant to the DITJEN APTIKA’s current policy, DITJEN APTIKA has made available a prescribed notification format which shall be completed with, among others, the following information:

How the notifying party is aware of such breach;
Description of the event;
Period of the incident;
Category of the disclosed personal data (general data and / or specific data);
Estimation of the total affected individuals;
The affected person’s status (employee, consumer, student and etc);
Description of the interfered components of the electronic system;
Impact to the notifying party;
Period of recovery (for the notifying party to recover the electronic system);
Accessibility of data protection trainings for the individuals involved in the processing of personal data of the notifying party;
Efforts to handle and recover from the disclosure of personal data by the personal data controller;
Efforts to prevent future issues; and
Notification to the affected individuals

Notification obligations to relevant data subject

A notification shall be sent within 14 (calendar) days of discovery / determination of a breach, namely upon failure to protect the secrecy of the personal data in the electronic system.

There is no further description on what would contain a "failure to protect the secrecy of the personal data". The KOMDIGI would, as a general rule, consider such a failure presentif other parties (with no rights to access) may identify the affected person based on the disclosed data.

On the content / coverage of the notification, it must at the minimum provide the reason or cause of the occurrence of the failure in protecting the secrecy of personal data. No specific format is prescribed.

Last modified 20 January 2025

There is no requirement to report data breaches to any individual or regulatory body.

Last modified 23 May 2019

EU regulation

Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming aware of the breach (Article 33(2)).

Ireland regulation

Personal data breaches should be notified to the DPC which has a published web form and risk rating requirement for personal data breach notifications.

The online breach reporting web form requires specific information to be provided depending on whether the personal data breach is a national or cross-border breach (in the latter case where the DPC acts as the lead supervisory authority under GDPR’s main establishment (or “one-stop shop”) regulatory mechanism). Further specific information is required to be provided for telecommunications and internet service providers to report breaches under Commission Regulation (EU) No 611/2013.

Organisations reporting breaches are requested to provide a self-declared risk rating using the following thresholds:

Low Risk: The breach is unlikely to have an impact on individuals, or the impact is likely to be minimal.
Medium Risk: The breach may have an impact on individuals, but the impact is unlikely to be substantial.
High Risk: The breach may have a considerable impact on affected individuals.
Severe Risk: The breach may have a critical, extensive or dangerous impact on affected individuals.

Last modified 17 January 2025

Pursuant to the Data Security Regs, data breach notifications are required depending on the severity of the breach and the category of the database. Such notifications are generally to the IPA which may require further notification to the data subjects.

On August 7, 2022 the IPA updated their data breach notification policy. The IPA requires immediate reporting not only upon discovery, but also when there is merely a concern about the existence of a Serious Information Security Incident (as defined in the PPL), as well as the steps to be taken following the incident.

Last modified 25 December 2024

EU regulation

Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming aware of the breach (Article 33(2)).

In the new version of the European Data Protection Board Guidelines 09/2022 issued on March 28, 2023, the EDPB specified the mere presence of a representative of a data controller not established in the EU does not trigger the one-stop-shop system. Therefore, the data breach shall be notified to every supervisory authority for which affected data subjects reside in their Member State.

Italy regulation

The Privacy Code does not set out additional rules on data breach notifications.

However, data breaches that require notification should be notified to the Garante by completing a form available at the Garante website. The notification form, once completed with the required information, must be sent via certified e-mail to the Garante and must be signed digitally (with qualified electronic signature / digital signature) or with handwritten signature.

Last modified 16 January 2025

Under the Amended APPI, business operators shall report data breach incidents to the PPC and affected data subjects if the data breach incidents could harm the rights and interests of individuals. The PPC set the concrete threshold for reporting obligations and in the case of any of the below (i)-(iv), the business operator needs to report it to the PPC and notify the affected individuals: (i) Sensitive Personal Information is or likely to have been leaked, (ii) Personal Information that would cause financial damage by unauthorized use is or likely to have been leaked, (iii) data leakage by wrongful purpose is or likely to have been occurred, and (iv) data leakage incident that involves more than 1,000 data subjects is or likely to have been occurred.

In addition, the PPC guidelines suggest that business operators (i) make necessary investigations and take any necessary preventive measures, and / or (ii) make public the nature of the breach and steps taken to rectify the problem, if appropriate and necessary.

According to the PPC guidelines, if a factual situation demonstrates that the Personal Information which has been disclosed was immediately collected before being seen by any third party or not actually disclosed, (such as the case where the company has encrypted the data or otherwise secured the data in such a way that it has become useless to third parties being in possession of such data), the notice to the PPC or any other relevant authority is not necessary.

Last modified 20 January 2025

The DPJL includes obligations related to ‘personal data breaches’, which are defined in the DPJL as breaches of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Data controllers must notify the Information Commissioner via an online portal that a personal data breach has occurred within 72 hours of becoming aware of the breach (Article 20 DPJL). A breach does not need to be notified to the Information Commissioner where it is unlikely to result in a risk to the rights and freedoms of natural persons in respect of their personal data. If there is a high risk that the personal data breach is likely to result in a risk to the rights and freedoms of natural persons, the data controller must also notify those individuals.

Controllers are also required to keep a record of all data breaches (Article 20(5) DPJL) (whether or not notified to the Information Commissioner) and permit audits of the record by the Information Commissioner.

Last modified 16 January 2025

In the relation to the Cybercrimes, the injured party shall have the right to submit a complaint before the Cybercrime Unit and the latter shall review the complaint and transfer it to the court.

Mandatory breach notification

It is stated in the aforementioned draft Personal Data Protection law, under Article (6), that a unit will be established within the Ministry of Digital Economy and Entrepreneurship, which will be responsible for preparing a regulation that controls the process of receiving notifications and complaints regarding any violations that may affect personal data.

The second law is “Cyber Security Law No. 16 of 2019” as it has established a National Center for Cyber Security, which receives complaints and reports related to cyber security and cyber security incidents. The law opened the door for further collaboration with different official entities according to its sphere of specialty.

The Cybersecurity Framework for Jordan Financial Sector – V. 1 – July, 2021, states that organizational-level severity rating is performed by the entity to define the point at which the incident should be treated as a disaster, in addition to determine escalation procedures, as well as human resources and time durations to recover. The entity has to notify the Central Bank of Jordan / Financial Cyber Emergency Response Team about the incident according to the following timelines:

Initial notification within 2 hours from confirming time.
After the closure of the incident for “Low” incidents.
Within 8 hours from confirming the incident and one time every two business days for “Medium” incidents.
Within 4 hours from confirming the incident and once a day for “High” incidents.

Additionally, Article (49) of the Instructions for Handling Cyber Risks No. (26/1/1/1984) for the Year 2018 stipulates that “the company shall notify the Central Bank in the event of discovering that it has been exposed to any cyber incident or any attempt of cyber-attack characterised by a high degree of danger to its systems or networks, no later than 72 hours from the moment of discovery of the cyber-event and according to the mechanism that will be adopted by the Central Bank, and inform the relevant security services of any case of embezzlement, forgery, theft or fraud resulting from the cyber event as soon as it is discovered and in accordance with the relevant laws and instructions.”

Last modified 11 January 2024

An owner and / or operator of a database containing personal data should notify the authorized state body of security incidents related to an illegal access to the personal datawithin one business day since of detection.

Last modified 4 February 2025

Section 43 of the Act

As far as technical measures are concerned, the General Regulations require the use of hashing and cryptography to limit the possibility of repurposing personal data. They also require that the contract between a data controller and a data processor to include a clause on security measures subjecting the data processor to appropriate technical and organizational measures in relation to keeping personal data secure.

With respect to organizational measures, the General Regulations require a data controller or data processor to develop, publish and regularly update a policy reflecting their personal data handling practices. The policy may include:

the nature of personal data collected and held;
how a data subject may access their personal data and exercise their rights in respect to that personal data;
complaints handling mechanisms;
lawful purpose for processing personal data;
obligations or requirements where personal data is to be transferred outside the country, to third parties, or other data controllers or data processors located outside Kenya and where possible, specify such recipients;
the retention period and schedule; and
the collection of personal data from children, and the criteria to be applied.

The General Regulations provide for specific obligations to the data controller and data processor under the data protection principle of integrity, confidentiality and availability. These include:

having an operative means of managing policies and procedures for information security;
assessing the risks against the security of personal data and putting in place measures to counter identified risks;
processing that is robust to withstand changes, regulatory demands, incidents, and cyber-attacks;
ensuring only authorised personnel have access to the data necessary for their processing tasks;
securing transfers shall be secured against unauthorised access and changes;
securing data storage from use, unauthorised access and alterations;
keeping back-ups and logs to the extent necessary for information security;
using audit trails and event monitoring as a routine security control;
protecting sensitive personal data with adequate measures and, where possible, kept separate from the rest of the personal data;
having in place routines and procedures to detect, handle, report, and learn from data breaches; and
regularly reviewing and testing software to uncover vulnerabilities of the systems supporting the processing.

Mandatory Breach Notification

Yes. Please see above analysis under “Breach Notification”. The ODPC has also launched a portal where data breach notifications should be made.

Last modified 6 February 2025

Breach notification to the IPA

LPPD foresees a mandatory breach notification to the IPA by data controllers not later than seventy-two (72) hours after becoming aware of the breach, unless the personal data breach is unlikely to risk the rights and freedoms of natural persons (Article 33 (1) (1)). When the data controller fails to report the breach after the 72 hours of becoming aware of it, the notification to IPA must also contain reasons on delayed notification.

With regards to the processors, the LPPD states that they should notify the breach to IPA without undue delay (Article 33 (2)), however a specific deadline as in the case of controllers is not provided.

Breach notification to the Data Subject

The data subject is notified on any breach resulting in a high risk to his/her rights and freedoms, without undue delay (Article 34 (1)). The obligation to communicate the breach to the data subject will not apply, provided the following conditions are met (Article 34 (3)):

the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects (i.e. natural persons) is no longer likely to materialise;
it would involve disproportionate effort, whereby, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

Last modified 4 February 2025

The Data Protection Regulation mandate that service providers promptly notify data subjects and relevant authorities in the event of a data breach that may compromise the security of their users' personal data. Service providers are required to report any personal data breaches to both CITRA and the affected individuals within 24 hours of becoming aware of the breach. However, notification to the data subjects is not required if the service provider has implemented appropriate technical and organizational protection measures, and these measures have been effectively applied to the personal data affected by the breach.

Last modified 4 February 2025

If the Holder (Owner) of personal data (data controller) transfers the personal data without consent of the data subject to a third party they must inform the data subject within a week.

Last modified 4 February 2025

There is no mandatory breach notification in Laos under the Law on Electronic Data Protection. Individuals and legal entities facing a breach may make a notification, but to seek assistance and recommendations on how to solve the breach, and not for the sake of transparency.

However, in 2020, the Bank of Lao PDR issued the Decree on Consumer Protection Concerning Financial Services. Like the Law on Commercial Banks, enacted in 2023, the decree reiterates the importance of financial service providers (e.g. commercial banks) protecting their customer’s confidential information. However, unlike the Law on Commercial Banks, the Decree does mention a duty to maintain the confidentiality of “personal information”.

The Decree provides that in the event that information relating to customers is breached, the financial service provider has an obligation to record the incident and immediately notify the affected customers. No details are provided on what specifically must be recorded or notified. Likewise, the language used in the original document does not provide any assistance in interpreting the meaning of the term “affected.” The term for “affected” that is used in the Lao language version of the Decree is a term that is normally used to denote persons who have suffered negative consequences or damage from an act. In the event that the breach of information causes an important adverse impact, or if there is a large-scale breach, a report must be submitted to the Bank of Lao PDR. However, there is no definition of “important adverse impact” or “large scale breach.” Moreover, no specific sanction is provided for failing to submit the report.

The Law on Electronic Data Protection does not provide sanction for breach of the notification obligation. On the other hand, the Penal Code provides that any person disclosing the private confidential information of another person during the performance of their profession or duties, and who causes damages to the other person, will be liable to imprisonment of a term of three to six months and a fine between LAK 3 million (approx. USD 137) and LAK 10 million (approx. USD 458). However, Penal Code does not define “private confidential information”, nor does it state whether the disclosure of information must be intentional. To date, there is no official guidance clarifying whether the Penal Code applies to scenarios where customer data is breached as a result of a technical failure or other such incidents.

Last modified 8 January 2025

EU regulation

The GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority, and for more serious breaches to also be notified to affected data subjects. A personal data breach is a wide concept, defined as any "breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed" (Article 4).

The controller must notify a breach to the supervisory authority without undue delay, and where feasible, not later than 72 hours after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and freedoms of natural persons. When the personal data breach is likely to result in a high risk to natural persons, the controller is also required to notify the affected data subjects without undue delay (Article 34).

Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming aware of the breach (Article 33(2)).

Latvia regulation

The Personal Data Processing Law does not provide any derogations or additional requirements to the GDPR regarding breach notification duties. The Data State Inspectorate has created a template for the data breach notification available on its webpage (only in Latvian).

Last modified 4 February 2025

Not applicable.

Last modified 21 December 2022

Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by an authorized person, the data controller, or any other third party processing personal information under the authority of a data controller, shall notify:

The Commission, and

The data subject, unless the identity of such data subject cannot be established

The notification shall be made as soon as reasonably possible after the discovery of the compromise, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of the data controller’s information system.

The data controller, in terms of section 23(3), shall delay notification to the data subject where the Lesotho Mounted Police Service, the National Security Service or the Commission determines that notification will impede a criminal investigation.

The breach notification to a data subject shall be in writing and communicated to the data subject in one of the following ways:

Mailed to the data subject’s last known physical or postal address

Sent by email to the data subject’s last known email address

Placed in a prominent position on the website of the party responsible for notification

Published in the news media

As may be directed by the commission

The notification is required to provide sufficient information to allow the data subject to take protective measures against potential consequences of the compromise, including, if known to the data controller, the identity of the unauthorized person who may have accessed or acquired the personal information.

Mandatory breach notification

See above.

Last modified 20 December 2021

There is generally no breach notification requirement, nor any dedicated agency or entity to which such notification must be made.

Mandatory breach notification

Whenever a private action is contemplated through the courts, it is mandatory that the accused is apprised of the matter in order to inform the prospective defendant of the allegation against him or her. This is usually accomplished through the issuance of the appropriate Writ issued by the court which is served upon the Defendant.

Last modified 23 February 2024

There is no breach notification requirement in Libya.

Last modified 18 January 2024

EU regulation

The GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority, and for more serious breaches to also be notified to affected data subjects. A personal data breach is a wide concept, defined as any "breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed" (Article 4).

The controller must notify a breach to the supervisory authority without undue delay, and where feasible, not later than 72 hours after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and freedoms of natural persons. When the personal data breach is likely to result in a high risk to natural persons, the controller is also required to notify the affected data subjects without undue delay (Article 34).

Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming aware of the breach (Article 33(2)).

Lithuania regulation

The Data Protection Law does not provide any derogations or additional requirements to the GDPR regarding breach notification duties.

Last modified 3 February 2025

EU regulation

The GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority, and for more serious breaches to also be notified to affected data subjects. A personal data breach is a wide concept, defined as any "breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed" (Article 4).

The controller must notify a breach to the supervisory authority without undue delay, and where feasible, not later than 72 hours after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and freedoms of natural persons. When the personal data breach is likely to result in a high risk to natural persons, the controller is also required to notify the affected data subjects without undue delay (Article 34).

Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming aware of the breach (Article 33(2)).

Luxembourg regulation

No specific provisions in the applicable local law.

Last modified 4 February 2025

The Law does not require data controllers to notify either the OPDP or data subjects about any personal data breach.

However, a new Law on Cybersecurity came into effect in 2019, which implemented the requirement to notify the Cybersecurity Incident Alert and Response Center (CARIC) and respective regulatory authority, in the event of a system breach – this obligation is, however, limited to operators of critical infrastructures.

Last modified 19 December 2023

The Data Protection Law does not set out any general or specific obligation to notify the CMIL or the data subject in the event of a data security breach.

Last modified 4 February 2025

Currently, there is no requirement under the PDPA for data users / data controllers to notify authorities regarding data breaches in Malaysia. Previously there was a voluntary data breach notification option available on the PDP Department’s website, but the option appears to be no longer available.

However, the Amending Act has introduced a new Section 12B and imposed a mandatory personal data breach notification obligation on data users / data controllers. Under this new provision, a data user / data controller shall notify the Commissioner as soon as possible if he has reason to believe that a personal data breach has occurred. If the personal data breach causes or is likely to cause any significant harm to the data subject, the data user / data controller shall also notify the data subject of such data breach without unnecessary delay. These amendments will come into operation on June 01, 2025.

On August 19, 2024, the Commissioner issued the Public Consultation Paper No. 01/2024: The Implementation of Data Breach Notification (“PCP No. 01/2024”), aiming to gather public views regarding aspects that should be addressed in the proposed Personal Data Protection (Personal Data Breach Notification) Regulations and Guidelines.

The PCP No. 01/2024 proposes that the mandatory data breach notification to the Commissioner under Section 12B be limited to only instances where the personal data breach is likely to cause or has caused “significant harm” and / or where the personal data breach is likely to be or is of a “significant scale”. The manner and form, timeframe and applicable exemptions for data breach notification has also been addressed. Last but not least, although there is no direct obligation on data processor to notify the Commissioner or the affected data subject under the new Section 12B, the PCP No. 01/2024 proposes that the data users / data controllers shall be required to contractually impose an obligation on their data processors to promptly notify them about the data breach.

The Personal Data Breach Notification Guidelines are expected to be issued by early 2025.

Last modified 20 January 2025

EU regulation

The GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority, and for more serious breaches to also be notified to affected data subjects. A personal data breach is a wide concept, defined as any "breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed" (Article 4).

The controller must notify a breach to the supervisory authority without undue delay, and where feasible, not later than 72 hours after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and freedoms of natural persons. When the personal data breach is likely to result in a high risk to natural persons, the controller is also required to notify the affected data subjects without undue delay (Article 34).

Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming aware of the breach (Article 33(2)).

Malta regulation

The Act does not derogate or further regulate from the provisions of the GDPR in this regard.

The application form to be used when notifying data breaches to the OIDPC can be accessed here.

Last modified 18 January 2024

Under the DPA 2017, a personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

A controller must without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the Commissioner. Where the Controller fails to notify the personal data breach within the 72 hours' time limit, he should provide the Commissioner with the reasons for the delay. Where a processor becomes aware of a personal data breach, he shall notify the controller without undue delay.

Where a personal data breach is likely to result in a high risk to the rights and freedoms of a data subject, the controller shall also communicate the personal data breach to the data subject without undue delay.

The communication of a personal data breach to the data subject shall not be required where:

the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the breach, in particular, those that render the data unintelligible to any person who is not authorised to access it, such as encryption;
the controller has taken subsequent measures to ensure that the high risk to the rights and freedoms of the data subject referred above is no longer likely to materialise; or
it would involve disproportionate effort and the controller has made a public communication or similar measure whereby data subject is informed in an equally effective manner.

Last modified 6 January 2025

Security breaches occurring at any stage of the processing that materially affect the property or moral rights of the data subject must be promptly reported by the data controller to the data subject.

Under Mexican Privacy Laws, a security breach of personal data includes any unauthorized:

loss or destruction of personal data
theft, loss or copying of personal data
use, access or processing of personal data
damage or alteration of personal data

If there is a breach of personal data, the controller must first analyze the causes of such breach; and then take steps to implement any corrective, preventive, improvement actions necessary to prevent the breach from recurring.

If a breach significantly affects the property or moral rights of the data subjects, the controller must immediately notify the affected data subjects, as soon as it confirms that the breach has occurred, so that the affected Data Subjects can take the corresponding measures.

The Regulations provide that breach notification must include at least the following information:

The nature of the breach
The personal data compromised
Recommendations to the data subject concerning measures that he or she can adopt to protect his or her interests
Immediate corrective actions implemented in response to the breach, and
The means by which the data subject may obtain more information in regard to the data breach

Last modified 28 January 2024

Current provisions

Personal data processing activities conducted by controllers or processors are subject to oversight by the NCPDP. In the event that the NCPDP identifies legal violations following its control, it shall issue a decision ordering the suspension of the data processing operations in question. Such a decision shall also include specific instructions for rectifying the identified violations.

The suspension of data processing operations shall remain in effect until the circumstances that served as the basis for the decision have been remedied. The controller or processor is required to address and rectify these circumstances within 30 days from the date on which the suspension decision was issued by the NCPDP.

Failure to take the necessary remedial measures within the specified period may result in the NCPDP issuing a decision to terminate the respective data processing operations. Additionally, the NCPDP may order the blocking or destruction of invalid or unlawfully obtained personal data.

Also, under the current Data Protection Law, data subjects have the right to lodge a complaint with the NCPDP if they believe that personal data processing operations have been conducted unlawfully. Such complaints must be submitted within 30 days from the date the data subject became aware of the alleged violation.

New legal provisions

In addition to the above, the New Data Protection Law (to enter into force on 23 August 2026) expressly includes the “personal data breach” definition and concept. Under the new provisions, where a personal data breach occurs, the controller shall without undue delay, and, where feasible, not later than 72 hours after having become aware of it, notify the NCPDP, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of individuals. Such notification shall include at least the following details:

describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned;
communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
describe the likely consequences of the personal data breach;
describe the measures taken or proposed to be taken by the controller, to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Furthermore, where a personal data breach is likely to result in a high risk for the rights and freedoms of the individual, save for the exceptions provided by law, the controller shall communicate the personal data breach to the data subject, without undue delay. Such communication shall describe in a clear and plain language the nature of the personal data breach and shall contain at least the details indicated above (which has been communicated to the NCPDP).

Last modified 16 January 2025

There is no mandatory requirement in the DPL to report security breaches or losses to the CCIN or to data subjects.

Last modified 6 February 2025

The Data Protection Law states that data collector must promptly notify the Data Controller of any breaches occurred during the data collection and processing. If such breach has potential to cause damages to the rights and legitimate interest of the Data Owner, the Data Controller must immediately provide notice to the Data Owner including the following:

The Data Owner who will be affected by the breach;
Name and contact information of the Data Controller;
Possible negative consequences from the breach; and
Measures taken to eliminate potential negative consequences from the breach.

Last modified 16 January 2025

There is no data security breach notification requirement under the DP Law. However, the Law on Electronic Communications ('Official Journal of Montenegro', nos. 40/2013, 56/2013, 2/2017 and 49/2019) ('EC Law') does impose a duty on operators to, without undue delay, notify the Montenegrin Agency for Electronic Communications and Postal Activity (EC Agency) and the DPA of any breach of personal data or privacy of the data subjects. The affected data subject should also be notified if the breach may have a detrimental effect to their personal data or privacy (unless the EC Agency issues an opinion that such notification is not needed). Failure to comply with any of the above duties is subject to liability and fines, ranging from EUR 6,000 to EUR 30,000 for a legal entity, and from EUR 300 to EUR 3,000 for a responsible person within a legal entity, and, if some material gain was obtained through the violation, the protective measure, which includes seizure of the respective gain, may be imposed in addition to the above monetary fine.

Last modified 16 January 2025

There is no requirement for a data protection officer under the DP Law, except, where relevant, through the application of GDPR.

Last modified 18 January 2024

There is currently no breach notification requirement in Mozambique.

A Cybersecurity Bill is being discussed which intends to establish amongst other things, the legal regime applicable to the protection of data communication networks, of data, of information systems and critical infrastructures in cyberspace.

The bill stipulates which entities are required to notify in the event of a data breach.

Last modified 16 January 2025

There is no obligation under the Electronic Transactions Law. The Regulation on Mobile Financial Services (2016) requires that any indications of loss of confidential data of the Mobile Financial Services system shall be notified to the Central Bank of Myanmar in writing no later than two business days of the event.

Last modified 18 December 2024

There are no requirements to report data breaches to any individual or regulatory body.

Last modified 18 January 2024

Certain offenses under the Privacy Act, and all offenses under the IT Bill and the Social Media Bill are state-party offenses listed under Schedule-1 of the National Criminal Procedure Code, 2017 (“NCP”). Pursuant to Section 4 of the NCP, anyone aware of a Schedule-1 offense must file a First Information Report (FIR) which may be submitted in written, verbal, or electronic form and should include any available evidence, with the prescribed format under Schedule-5 of the NCP. The obligation to notify a breach is also mandated by Section 96 of the National Penal Code, 2017 which states that a person under the legal duty to provide information regarding an offence when aware that such an offense has been committed, shall provide the concerned authority with such information.

Last modified 20 January 2025

EU regulation

The GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority, and for more serious breaches to also be notified to affected data subjects. A personal data breach is a wide concept, defined as any "breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed" (Article 4).

Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming aware of the breach (Article 33(2)).

Netherlands regulation

The provisions regarding data breach notifications are mostly identical to Articles 33 and 34 GDPR.

Data breaches that require notification, should be notified to the Dutch DPA by completing an online form through the Dutch DPA website.

The form is available here.

Last modified 18 January 2024

Under the Act, any 'privacy breach' which it is reasonable to believe has caused or is likely to cause serious harm to an individual must be notified to the Privacy Commissioner and to the affected individuals.

A 'privacy breach' is any unauthorised or accidental access to, or disclosure, alteration, loss, or destruction of, personal information, or any action that prevents the agency from accessing the information on either a temporary or permanent basis.

When assessing whether a privacy breach is likely to cause serious harm, agencies must consider:

any action taken by the agency to reduce the risk of harm following the breach;
whether the personal information is sensitive in nature;
the nature of the harm that may be caused to affected individuals;
the person or body that has obtained or may obtain personal information as a result of the breach (if known);
whether the personal information is protected by a security measure; and
any other relevant matters.

Agencies must notify the Privacy Commissioner and affected individuals as soon as practicable after becoming aware of a notifiable privacy breach. The Privacy Commissioner has issued non-binding guidance that it expects to be notified within 72 hours of an agency discovering a notifiable privacy breach. If it is not reasonably practicable to notify an affected individual or each member of a group of affected individuals, an agency can give a public notice of the breach.

Notification to affected individuals is not required or can be delayed in certain circumstances. For example, notification to affected individuals can be delayed if the agency believes that a delay is necessary because notification or public notice may pose risks for the security of personal information held by the agency and those risks outweigh the benefits of informing affected individuals (for example, if notification of the breach would expose an unremedied security vulnerability).

Anyone who outsources services that involve data processing should be aware that the Act includes an express provision that anything relating to a notifiable privacy breach that is known by an agent is to be treated as being known by the principal agency. This is because the legislators consider that the principal agency should be responsible for informing individuals about a notifiable breach.

Last modified 24 January 2025

The legislation does not expressly contemplate the duty of notification of data breach.

Mandatory breach notification

The legislation only contemplates mandatory notification in the event of data breach in the case of Army and Police personnel, and the relevant institutions must be informed immediately.

Last modified 28 January 2024

Under article 83 of the 2022 Personal Data Protection Act, the controller of personal data is required to notify the Data Protection Authority (HAPDP) of any personal data breach as soon as it becomes aware of it. This notification must be made without delay and, in the event of a high risk to the rights and freedoms of the data subjects, the data controller must also inform the data subjects as soon as possible. However, the controller is not required to notify a data breach if it is reasonable to believe that the breach does not present a risk to the rights and freedoms of the data subjects. It is important to note that failure to comply with this notification obligation must be justified and substantiated by the data controller to the data protection authority. Failure to comply with this obligation may result in criminal penalties, such as imprisonment and fines, as set out in Article 98 of the Act.

Mandatory Breach Notification

Mandatory notification of personal data breaches is provided for in Article 83 of the 2022 Personal Data Protection Act. According to this article, as soon as the data controller becomes aware of a personal data breach, it must inform the HAPDP without delay. In addition, if the breach is likely to result in a high risk to the rights and freedoms of an individual, the controller must notify the data subject of the security breach as soon as possible.

Last modified 6 January 2025

In a processing activity involving a data processor and controller or a processor and sub processor, there is an obligation on a data processor (or sub processor), on becoming aware of a breach to:

notify the data controller or processor that engaged it, describing the nature of the personal data breach including where possible, the categories and approximate number of data subject and records concerned;
respond to all information requests from the data controller or processor that engaged it.

Within 72 (seventy two) hours of becoming aware of a breach, if the breach is likely to result in a risk to the rights and freedoms of individuals, the data controller is obligated to notify the Commission. The data controller will immediately communicate the breach in plain and clear language including advice about measures the data subject could take to mitigate the effect of the breach, including the categories and approximate numbers of data subjects, and personal data records concerned.

Data Subject Notification

Where a personal data breach is likely to result in a high risk to the rights and freedoms of a data subject, the data controller shall immediately communicate the personal data breach to the data subject in plain and clear language, including advice about measures the data subject could take to mitigate the possible adverse effects of the data breach and if a direct communication to the data subject would involve disproportionate effort or expense, or is otherwise not feasible, the data controller may instead make a public communication in one or more widely used media sources such that the data subject is likely to be informed.

The notifications referenced above should communicate the name and contact details of a point of contact of the data controller, describe the likely consequences of the personal breach and measures taken or proposed to be taken to address the personal breach.

Last modified 18 January 2025

Under the DP Law, data controllers are obliged to immediately (and not longer than 72 hours after discovering the data breach) inform the DPA, unless it is likely that the data breach may not pose a risk to the rights and freedoms of natural persons. Data processors are obliged to notify the data controller immediately after discovering the breach.

The notification is submitted on a special form prescribed by the DPA. The information may be gradually submitted without undue delays, only if there was no possibility to submit all of the information at the same time.

If the data breach is deemed to pose a high risk to the rights and freedoms of the natural persons, the data controller must immediately notify the data subject that their personal data has been breached. However, the data controller may not notify the data subject if:

appropriate technical and organizational measures have been implemented which ensure that the personal data would be unrecognizable to unauthorized persons (e.g. encryption);
the data controller has implemented additional measures which ensure that there is no longer a high risk to the rights and freedoms of the data subjects; or
if such notification requires disproportionate effort, in which case a public notification or a similar measure is implemented.

Last modified 17 January 2024

EU regulation

Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming aware of the breach (Article 33(2)).

Norway regulation

Data breaches that require notification to the Norwegian DPA, can be notified by completing an online form through Altinn, a Norwegian internet portal for digital dialogue between businesses and public agencies.

The form is available online.

Last modified 16 January 2025

There is, at present, no requirement to report data breaches to any individual or regulatory body specifically under PECA 2016. However, there are self-reporting requirements under sector specific laws, which may contain the reporting of a breach of personal data.

Additionally, the PDPB would, upon coming into force, require the data controller to notify the Commission regarding any personal data breaches that are likely to result in a risk to the rights and freedoms of the data subject, within 72 hours of knowledge of breach. Moreover, the data processor would similarly be required to intimate any breach of personal data to the Commission, within 72 hours, in the event that the data processor is made aware of such breaches.

Last modified 4 January 2024

If a data controller becomes aware of a security breach, defined as any damage, loss, alteration, destruction, access and in general, any illegal or unauthorized use of personal data, even where such occurs accidentally, that represents a risk for the data’s protection, the data controller must immediately notify such breach to the regulator and affected data subjects, within 72 hours. Data processors also have the responsibility to immediately notify the data controller of any security breach.

The data controller must document any security breach and include at a minimum the following information: i) date of occurrence, ii) the reasons of the breach, iii) the facts related to the situation and its effects, iv) the definitive corrective measures immediately implemented.

The regulator will verify the seriousness of the incident and if required to safeguard the rights of the data subjects, order that the data controller adopt measures, such as the wide dissemination of the incident in the media and/or measures to reverse or mitigate the effects of the incident.

Operators that manage public networks or that provide communication services available to the public shall guarantee in the exercise of their activity the protection of personal data in accordance with the Data Protection Law. They must also adopt the appropriate technical and management measures to preserve the security in the operation of the network or in the provision of their services, in order to guarantee the levels of protection for the personal data that are required by the Data Protection Law, as well as certifications, protocols, standards and other measures established by the respective authorities.

In case there is a particular affectation or violation of the security of the network communication system, the operator that manages such network or provides the communication service will inform the data subjects about said affectation and about the measures to adopt.

Last modified 28 January 2024

No data breach notification obligation exists under the current data protection regime.

Last modified 28 January 2025

Currently, notification incidents are regulated by Emergency Decree 007-2020, which approves the Digital Trust Framework, with the intent to strengthen cybersecurity ('Emergency Decree'). A Digital Security Incident is defined under the Emergency Decree as an 'event or series of events that may compromise the trust, economic prosperity, protection of individuals and their personal data, the information, among other assets of the organization, through digital technologies.'

According to the Emergency Decree public administration entities, digital service providers in the financial sector, utilities (electricity, water and gas), healthcare and passenger transportation, internet service providers, and other providers of critical activities (economic and/or social activity whose interruption has serious consequences on the health and safety of citizens, on the effective functioning of essential services that maintain the economy, society and government, or affects the economic and social prosperity in general) as well as educational services must comply with the following: (a) notifying the National Centre for Digital Security (National Centre) about every digital security incident; and, (b) reporting and collaborating with the NDPA in case of a digital security incident that involves personal data. Notwithstanding the foregoing, once the New Regulation enters into force, a mandatory obligation regarding notification incidents will be in place.

According to the New Regulation, a security incident consists of any breach of security resulting in the destruction, loss, unlawful alteration of personal data or unauthorized communication or exposure to such data.

In the event that a personal data security incident results in the exposure of large volumes of personal data, in quantity or type of data, or that may affect a large number of persons or when it involves sensitive data or when there is an evident prejudice to other rights or freedoms of the holder of the personal data, the holder of the database must notify the NDPA at the latest within 48 hours after becoming aware of it or becoming aware of it. If the notification is made after 48 hours, it must include the reasons and evidentiary support for the delay.

The personal data security incident notification should identify and describe at a minimum the following:

The nature of the personal data security incident, including, where possible, the types of data and the approximate number of data subjects affected
The name and contact details of the Personal Data Officer or other points of contact where further information can be obtained
The possible consequences of the personal data security incident, and
The measures taken or proposed by the data controller to remedy the personal data security breach, including, if applicable, the measures taken to mitigate the possible negative effects.

It should be noted that this obligation remains even if the data controller considers that the incident has been remedied or resolved internally.

Likewise, the holder of the personal database who notices a personal data security incident that affects the holder of the same in other of his rights, must communicate it within 48 hours without undue delay, in simple and clear language for its understanding, as well as the measures adopted to mitigate its effects. If such communication takes longer than 48 hours, it must be accompanied by an indication of the reasons for such delay.

Furthermore, in the event that the Personal Data security incident takes place in and/or through the digital environment, the notification is made, in addition to the NDPA, to the National Center for its incorporation into the National Register of Digital Security Incidents in accordance with the provisions of the Emergency Decree.

Pursuant to Emergency Decree 007-2020, which approves the Digital Trust Framework, with the intent to strengthen cybersecurity ("Emergency Decree"), public administration entities, digital service providers in the financial sector, utilities (electricity, water and gas), healthcare and passenger transportation, internet service providers, and other providers of critical activities (economic and/or social activity whose interruption has serious consequences on the health and safety of citizens, on the effective functioning of essential services that maintain the economy, society and government, or affects the economic and social prosperity in general) as well as educational services must comply with the following: (a) notifying the National Centre for Digital Security ('National Centre') about every digital security incident; and, (b) reporting and collaborating with the NDPA in case of a digital security incident that involves Personal Data.

Last modified 26 January 2023

The PIC is required to notify both the regulator (which is the NPC) and the affected data subjects within seventy-two (72) hours upon knowledge of, or when there is reasonable belief by the PIC or PIP that, a personal data breach requiring notification has occurred.

A security incident is treated as a reportable data breach if Sensitive Personal Information or other information has been acquired by an unauthorized person, and:

such Personal Information may, under the circumstances, be used to enable identity fraud; and
the PIC or the NPC believes that such unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject.

The notification shall at least describe the nature of the breach, the Sensitive Personal Information possibly involved, and the measures taken by the entity to address the breach. The notification shall also include measures taken to reduce the harm or negative consequences of the breach, the representatives of the PIC, including their contact details, from whom the data subject can obtain additional information about the breach, and any assistance to be provided to the affected data subjects.

Notification may be delayed only to the extent necessary to determine the scope of the breach, to prevent further disclosures, or to restore reasonable integrity to the information and communications system. The NPC may also authorize postponement of notification where such notification may hinder the progress of a criminal investigation related to a serious breach.

There can be no delay in the notification if the breach involves at least one hundred (100) data subjects, or the disclosure of Sensitive Personal Information will harm or adversely affect the data subject. In either case, the Commission must be notified within the 72-hour period based on available information.

The full report of the personal data breach must be submitted within five (5) days from notification, unless the PIC is granted additional time by the Commission to comply.

Notification is not required if the NPC determines:

that notification is unwarranted after taking into account compliance by the PIC with the Act and the existence of good faith in the acquisition of Personal Information; or
in the reasonable judgment of the NPC, such notification would not be in the public interest or in the interests of the affected data subjects.

In April 2022, the NPC launched the Data Breach Notification Management System (DBNMS), an interface that facilitates tracking and submission of personal data breach notifications and annual security incident reports.

Last modified 20 January 2025

EU regulation

The GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority, and for more serious breaches to also be notified to the affected data subjects. A personal data breach is a wide concept, defined as any "breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed" (Article 4).

The controller must notify a breach to the supervisory authority without undue delay, and where feasible, not later than 72 hours after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the personal data breach is likely to result in a high risk to natural persons, the controller is also required to notify the affected data subjects without undue delay (Article 34).

Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming aware of the breach (Article 33(2)).

The notification to the supervisory authority must include, where possible, the categories and approximate numbers of individuals and records concerned, the name of the organisation’s data protection officer or other contact, the likely consequences of the breach, and the measures taken to mitigate any harm (Article 33(3)).

Controllers are also required to keep records of all data breaches (Article 33(5)) (irrespective of whether they are notified to the supervisory authority) and permit audits of the records by the supervisory authority.

Poland regulation

In Poland, the breach notification obligations under the Telecommunications Act were replaced by the breach notification obligations under the terms specified in Commission Regulation (EU) No. 611/2013 of 24 June 2013 regarding measures applicable to the notification of personal data breaches under Directive 2002/58/ EC of the European Parliament and of the Council on privacy and electronic communications (Regulation 611/2013).

A personal data breach should be reported by the provider of telecommunications services to the Polish DPA immediately, and no later than 24 hours after the detection of the personal data breach. This deadline results from Article 2 section (2) of Regulation 611/2013. Because this period is shorter than the period indicated in the GDPR, telecommunications undertakings will have to make every effort to send the information required by law within 24, not 72, hours. Therefore, the personal data breach should be notified electronically by filling out the appropriate form.

If a data breach could have a negative impact on the rights of a subscriber or end user (i.e. a natural person), the service provider should also - immediately (i.e. without undue delay) - inform the subscriber or end user about the breach (in addition to informing the Polish DPA) in accordance with Regulation 611/2013.

Under the new Electronic Communications bill, the breach notification obligations continue to be superseded by the breach notification obligations under Commission Regulation (EU) No. 611/2013, so relevant provisions remain unchanged.

Last modified 16 January 2025

EU regulation

The GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority, and for more serious breaches to also be notified to affected data subjects. A personal data breach is a wide concept, defined as any "breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed" (Article 4).

The controller must notify a breach to the supervisory authority without undue delay, and where feasible, not later than 72 hours after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the notification to the supervisory authority is not executed within 72 hours, it shall be accompanied by the reasons for the delay.When the personal data breach is likely to result in a high risk to natural persons, the controller is also required to notify the affected data subjects without undue delay (Article 34).

Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming aware of the breach (Article 33(2)).

Portugal regulation

Personal data breach notifications are required in the circumstances provided in Article 33 GDPR. The Portuguese supervisory authority (CNPD) set out the procedure for a personal data breach notification. A specific form on the supervisory authority's website should be completed and submitted to notify data breaches (the form is available here). The supervisory authority makes also available a form which allows a previously submitted notification to be amended (the form is available here).

Also Law 41/2004, of 18 August (as amended) establishes that companies that provide electronic communications services accessible to the public shall, without undue delay, notify the Data Protection Authority (CNPD) of a personal data breach. When the personal data breach may affect negatively the subscriber’s or user’s personal data, companies providing electronic communications services to the public should also, without undue delay, notify the breach to the subscriber or user so that they can take the necessary precautions.

For these purposes, a negative effect on personal data exists when the breach may result namely in theft or identity fraud, physical harm, significant humiliation or damage to reputation.

Last modified 17 January 2024

There is an obligation on the data controller to notify the regulator, the NCGAA and the data subject of any breaches of the measures to protect the data subject's privacy if it is likely to cause damage to the data subject. The notification to the NCGAA and the data subject must be made as soon as possible from the time the data controller becomes aware of the breach but in any event, within 72 hours.

A personal data breach means a breach of security leading to an unlawful or accidental alteration, destruction, loss, unauthorised disclosure of, or access to personal data. This would encompass both, accidental and deliberate breaches such as, theft or loss of IT equipment, inadequate disposal of confidential files that may contain personal data material and using client data for a personal gain. In assessing whether a breach would cause serious damage, the data controller should take into consideration whether the breach would cause the data subject to be impacted negatively in various ways such as emotional distress, or physical or material damage.

Last modified 17 January 2024

There is a requirement under the DPL to inform the DPO of a Personal Data Breach. The notification must be made without undue delay and where possible, no later than 72 hours from the time the data controller is made aware of the breach.

The data controller must also consider notifying the data subjects affected of the breach and if the data controller determines that it will notify the data subjects then, it must notify them without undue delay after becoming aware of the breach and its notification:

Must use clear and plain language;
Must contain an explanation of the nature of the personal data breach;
Must describe the consequences (or those that are likely) of the data breach; and
Must contain a description of the measures taken or proposed to be taken by the data controller to address the breach and the measures to mitigate the effects of the breach.

The requirement to notify the DPO of a personal data breach does not apply if the breach is unlikely to result in a risk to the rights and legitimate interests of the data subjects.

Last modified 17 January 2024

The processor of personal data must in case of a breach of the security inform the Commission without delay and at the latest within 72 hours after it identified the breach.

Mandatory breach notification

It is mandatory to notify every breach to the Commission, however, the 72 hours deadline does not apply in case there is no risk for the rights of the persons concerned. The breach must still be notified, but it must be explained why the breach was notified more than 72 hours after the identification of the breach.

The persons concerned must also informed of the breach if it poses an important risk for its rights.

Last modified 23 February 2024

EU regulation

The GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority, and for more serious breaches to also be notified to affected data subjects. A personal data breach is a wide concept, defined as any "breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed."

Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming aware of the breach.

The notification to the supervisory authority must include where possible:

The categories and approximate numbers of individuals and records concerned
The name of the organisation’s data protection officer or other contact
The likely consequences of the breach and the measures taken to mitigate harm

Controllers are also required to keep a record of all data breaches (whether or not notified to the supervisory authority) and permit audits of the record by the supervisory authority.

Romania regulation

No specific provisions / derogations are provided by the Law no. 190/2018 with respect to the notification of a personal data security breach. However, where data controllers notify a personal data breach to ANSPDCP, a special notification form must be filled out and submitted.

Last modified 17 January 2024

Under the recently adopted amendments, in case of establishing the fact of unlawful or occasional transfer or dissemination of personal data, that caused a violation of data subject rights, the data controller must:

within 24 hours notify Roskomnadzor about:
- the incident;
- believed reasons that caused violation of data subject rights;
- estimated harm inflicted to data subject rights;
- measures taken to cure consequences of the incident; and
- details of the contact person to communicate with Roskomnadzor.

within 72 hours notify Roskomnadzor about the results of internal investigation of the incident as well as to provide the information on the parties, if any, whose actions caused the incident.

The above timeframes are very short that may cause significant practical difficulties in complying with them.

Last modified 17 January 2024

In case of personal data breach, the DC is required to communicate the personal data breach to the NCSA within 48h after being aware of the incident. The DP is required to notify the DC of any personal data breach within 48h after being aware of the incident (article 43).

Where the personal data breach is likely to result in a high risk to the rights and freedoms of the data subject, the DC is also required to communicates the personal data breach to the data subject in writing or electronically, after having become aware of it (article 45). The Data Protection Law does not specify in which delay this communication must be done.

This communication of personal data breach to the data subject is not required in the following cases:

the DC has implemented appropriate technical and organisational protection measures in relation to personal data breached such that the personal data breach is unlikely to result in a high risk to the rights and freedoms of the data subject;
the DC has taken measures which ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialize;
the DC communicated it to the public whereby the data subject is informed in an equally effective manner.

The NCSA can request the DC to make such communication if the DC has not done it yet in case the personal data breach is likely to result in a high risk to the rights and freedoms of the data subject.

Last modified 17 January 2024

The PDPL imposes data breach notification requirements on data controllers, to notify the regulator (i.e. SDAIA) and / or impacted data subjects, depending on the circumstances. Where a notification is required to SDAIA, the data controller must notify within 72 hours of becoming aware of the breach. Where a notification is required to impacted data subjects, this must be made without undue delay.

In addition, notification obligations may be triggered in specific contexts / sectors – for example, cloud service providers may be required to report security breaches to the CST depending upon the circumstances.

Last modified 23 February 2024

Based on Senegal’s law and regulations there is no legal requirement to report data breaches to the CDP. Nevertheless, the data controller is required to respect confidentiality, security and data retention requirements of the data subject.

There is also no legal requirement for data breaches to be reported to affected individuals.

Mandatory breach notification

No mandatory breach notification protocol is provided under Senegal law.

Last modified 23 February 2024

The DP Law imposes data breach notification obligations that largely track the GDPR. Furthermore, the Law on Electronic Communications ('Official Gazette of the Republic of Serbia', no. 35/2023) (“EC Law”) imposes a duty on business entities performing electronic communication activities, to notify the Regulatory Body for Electronic Communications and Postal Services (“RATEL”) as the competent state authority, of any breach of security and integrity of public communication networks and services, which have influenced their work significantly, whereas RATEL, when it assesses that it is in public interest to publish the respective information, is authorized to inform the public on any such breach or to request from the respective business entity to do that. Additionally, if there is a particular risk of breach of public electronic communication networks and services' security and integrity (e.g. risk of endangering safety of personal data), a business entity is obliged to inform users on such risk and if such risk is out of the scope of the measures the operator is obliged to implement, to inform users on possible measures of protection and costs of their implementation.

Nonperformance of this statutory obligation can lead to liability and fines of up to EUR 17,000 for a legal entity, and up to EUR 1,275 for a responsible person in a legal entity. Protective measures may also be implemented. For a legal entity, a prohibition against performing business activities for a duration of up to three years and for a responsible person in a legal entity, a prohibition against performing certain duties for a duration of up to one year.

According to the DP Law, the data breach obligations present a significant responsibility, as data controllers will generally be required to document each data breach as well as to notify the DPA of such breach (if it may result in a risk to the rights and freedoms of individuals) without undue delay and, when feasible, within 72 hours after becoming aware of the breach. In addition, data processors will have to notify the controllers of the breach without undue delay.

If the personal data breach may result in a high risk to the rights and freedoms of individuals, the controller is also required to communicate the personal data breach to the individual concerned without undue delay. However, this does not apply if the controller has implemented appropriate technical, organizational and human resources measures, such as encryption that has rendered the relevant data unintelligible to any unauthorized person, or has subsequently undertaken measures which ensure that the data breach can no longer lead to consequences for the concerned individual, or, if the notification would involve disproportionate efforts, a public communication or a similar measure must be made in order to properly inform the individuals.

Last modified 17 January 2024

Breach notification

There is no mandatory requirement in the Act to report data security breaches or losses to the Data Protection Commissioner. However, the Act provides that the Data Protection Commissioner may consider any complaint that any of the data protection principles or any provision of this Act has been or is being contravened and shall do so if the complaint appears to him to raise a matter of substance and to have been made without undue delay by a person directly affected.

Where the Data Protection Commissioner investigates any such complaint he shall notify the complainant of the result of his investigation and of any action which he proposes to take.

Mandatory breach notification

None contained in the Act.

Last modified 17 January 2024

Under the current Act, where an organization has reason to believe that a data breach affecting personal data in its possession or under its control has occurred, it must conduct, in a reasonable and expeditious manner, an assessment of whether the data breach is a “notifiable data breach” (as defined in the current Act). A data breach means (a) the unauthorised access, collection, use, disclosure, copying, modification or disposal of personal data, or (b) the loss of any storage medium or device on which personal data is stored in circumstances where the unauthorised access, collection, use, disclosure, copying, modification or disposal of the personal data is likely to occur. A data breach constitutes a “notifiable data breach” if:

it results in, or is likely to result in, significant harm to the affected individuals (including one that compromises personal data prescribed under the Personal Data Protection (Notification of Data Breaches) Regulations 2021); or
it is of a significant scale (i.e. one that affects 500 or more individuals).

An organization must notify the Commission as soon as practicable and in any case no later than three calendar days after the day the organization makes the above assessment of a notifiable data breach. If the data breach results in, or is likely to result in, significant harm to the affected individual(s), an organization must also notify each affected individual in any manner that is reasonable in the circumstances.

The Personal Data Protection (Notification of Data Breaches) 2021 sets out the list of information to be included in notifications to the Commission and affected individuals.

Where a data breach is discovered by a data intermediary, the data intermediary must notify the organization (i.e. data controller) without undue delay from the time the data intermediary has credible grounds to believe that a data breach has occurred in relation to personal data that it is processing on behalf of and for the purposes of the organization. Upon notification by the data intermediary, the organization must conduct an assessment of whether the data breach is a notifiable data breach.

In addition, the Cybersecurity Act 2018 (“CSA”) was passed in Singapore in early 2019. The CSA primarily contains obligations applicable to organizations which have been designated as owners of critical information infrastructure. In particular, if your organization has been designated by the Cybersecurity Commissioner as the owner of a critical information infrastructure, additional obligations will apply to your organization in relation to data breach incident handling and notification. The CSA was amended in 2024, introducing obligations on organizations beyond the owners of critical information infrastructure, including foundational digital infrastructure service providers, entities of special cybersecurity interest and systems of temporary cybersecurity concern, to ensure that the CSA keeps pace with technological developments and industry practices.

Last modified 23 January 2025

National Ordinance Personal Data Protection

Contains no specific clauses.

GDPR

In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with article 55 GDPR, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

Last modified 10 February 2025

EU regulation

The GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority, and for more serious breaches to also be notified to affected data subjects. A personal data breach is a wide concept, defined as any "breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed." (Article 4).

The controller must notify a breach to the supervisory authority without undue delay, and where feasible, not later than 72 hours after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and freedoms of natural persons. When the personal data breach is likely to result in a high risk to natural persons, the controller is also required to notify the affected data subjects without undue delay. (Article 34).

Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming aware of the breach. (Article 33(2)).

The notification to the supervisory authority must include where possible:

The categories and approximate numbers of individuals and records concerned
The name of the organisation’s data protection officer or other contact
The likely consequences of the breach and the measures taken to mitigate harm
The measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Controllers are also required to keep a record of all data breaches (whether or not notified to the supervisory authority) and permit audits of the record by the supervisory authority.

Slovak Republic regulation

Breach notifications are governed by the GDPR.

Last modified 17 January 2024

The GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority, and for more serious breaches to also be notified to affected data subjects. A "personal data breach" is a wide concept, defined as any "breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed" (Article 4 GDPR).

The controller must notify a breach to the supervisory authority without undue delay, and where feasible, not later than 72 hours after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and freedoms of natural persons. When the personal data breach is likely to result in a high risk to natural persons, the controller is also required to notify the affected data subjects without undue delay (Article 34 GDPR).

Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming aware of the breach (Article 33(2) GDPR).

Controllers are also required to keep a record of all data breaches (Article 33(5) GDPR) (whether or not notified to the supervisory authority) and permit audits of the record by the supervisory authority.

In relation to data breaches, in Article 23 ZVOP-2 regulates data security in the field of special processing, which also involves reporting breaches. This article specifies that for certain information systems, the provisions on security requirements and reporting incidents from the Information Security Act (Zakon o informacijski varnosti) apply mutatis mutandis. These provisions concern essential service providers if the controller is not obliged to implement measures under the Information Security Act for these processing activities. Localization rules apply exist in case of special processing of personal information within information systems in which processing of the following categories of personal data is carried out: personal data specified in the laws governing administrative internal affairs, financial administration, citizenship, the Slovenian Intelligence and Security Agency, defence, healthcare, mandatory health insurance, the exercise of rights deriving from public funds, and criminal and minor offence records. Such data records must be kept within the territory of the Republic of Slovenia.

Last modified 17 January 2024

In terms of section 22 of POPIA, where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorized person, the responsible party must notify the Information Regulator and the data subject, unless the identity of such data subject cannot be established.

The notification must be made as soon as reasonably possible after the discovery of the compromise, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of the responsible party’s information system.

The responsible party may only delay notification of the data subject if a public body responsible for the prevention, detection or investigation of offenses or the Information Regulator determines that notification will impede a criminal investigation by the public body concerned and must be in writing and communicated to the data subject in a prescribed manner.

The notification must provide sufficient information to allow the data subject to take protective measures against the potential consequences of the compromise, including all of the following:

A description of the possible consequences of the security compromise;
A description of the measures that the responsible party intends to take or has taken to address the security compromise;
A recommendation with regard to the measures to be taken by the data subject to mitigate the possible adverse effects of the security compromise; and
If known to the responsible party, the identity of the unauthorized person who may have accessed or acquired the personal information.

The Information Regulator may direct a responsible party to publicize, in any manner specified, the fact of any compromise to the integrity or confidentiality of personal information, if the Information Regulator has reasonable grounds to believe that such publicity would protect a data subject who may be affected by the compromise.

An operator / data processor is not required to notify the Information Regulator or data subjects where there are reasonable grounds to believe that there has been a data breach. It must, however, notify the responsible party / data controller of the suspected data breach.

Last modified 17 January 2024

In the event of a personal information leakage, the personal data controller must notify the affected data subjects within 72 hours of becoming aware of the leakage. The data controller must also report to the regulator within 72 hours if: (i) personal information of 1,000 or more data subjects has been leaked, (ii) sensitive information or unique identification information has been leaked, or (iii) personal information has been leaked through unauthorized access from the outside. However, no regulatory reporting is needed if the data controller is able to take measures to significantly reduce the possibility of infringement of the rights and interests of the affected data subjects, such as retrieving or deleting the compromised personal information.

Last modified 20 January 2025

Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming aware of the breach (Article 33(2)).

Last modified 22 January 2024

A ‘personal data breach’ is broadly defined in the PDPA to mean “any act or omission that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed”. The PDPA imposes a general obligation on a controller to notify the Authority in the event of a personal data breach.

The manner, form and the time period within which such notification should be made is to be prescribed by way of rules made under the PDPA, which are likely to be published upon the Authority being established. Accordingly, the threshold for a notifiable breach, the timeframe within which such notification has to be made, and the circumstances where the Authority and the data subjects should be notified, are yet to be specified under the PDPA.

Additionally, the Data Protection Management programme, which is required to be implemented by every controller, must also include a mechanism to detect breaches of personal data.

Last modified 3 January 2024

EU regulation

Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming aware of the breach (Article 33(2)).

Sweden regulation

There are no derogations under Swedish law, except that personal data breaches that fall under the Criminal Data Act (2018:1177) (which implements the Directive (EU) 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data) shall be reported by public authorities separately in accordance certain provisions of the Criminal Data Act.

Last modified 22 January 2024

The FADP provides for three different notification obligations in the event a data security breach occurs:

The controller shall notify the FDPIC as soon as possible of any data security breach that is likely to lead to a high risk to the data subject's personality or fundamental rights. The FDPIC has made available a reporting portal (see here), which may be used to submit a notification.
The controller shall inform the affected data subjects of any data security breach if this is required for their protection or if the FDPIC so requests. Even though the FADP does not stipulate a specific time frame in this regard, it is evident that such information must be provided in a timely manner in order to achieve its purpose.
The processor shall notify the controller of any data security breach as soon as possible. The FADP does not provide for a threshold in this respect. Therefore, a notification is required regardless of the specific risk involved.

A data security breach is defined as a breach of security that leads to the accidental or unlawful loss, deletion, destruction or modification or unauthorised disclosure or access to personal data. The ODP details what information a breach notification must contain and imposes a documentation obligation on the controller.

Last modified 22 August 2023

Upon a data breach (which is not defined under the PDPA, however, from a Taiwan law perspective, such would mean where a data subject’s personal data is accessed, taken, revealed, leaked, changed or otherwise infringed on by any unauthorized person or entity or in any unauthorized manner), the data collector is required to promptly notify the data subject of:

the fact of the infringement;
the measures the data collector has taken to respond to such infringement; and
the contact information of the data collector.

No threshold has been provided for when such notice has to be given to the affected data subjects. It is understood that so long as personal data is stolen, disclosed, altered or otherwise infringed on, such notice has to be promptly given.

The notice may be made orally, by written document, telephone, text message, email, facsimile, electronic record, or in another manner which the data subject can receive such notice. If the cost of notifying each data subject is “too high”, such notice may be made via the internet or news media.

In addition, data collectors in certain industries (e.g. travel agents, financial institutions) are required to report to their respective industry regulator and, where it is required to do so, the report to the industry regulator needs to include:

the fact that personal data may have been compromised;
the measures the data collector has taken to respond to such compromise (including evidence that the data collector has notified the affected individuals);
the investigation by the data collector (or any outside forensic firm) as to how the data breach occurred;
the preventive measure(s) the data collector will take to prevent recurrence of data breach in the future; and
any other information that the industry regulator may require on a case-by-case basis.

Also, between 2021 and 2023, steps were taken by the Taiwan authorities to expand the material data breach reporting obligations of, inter alia, security service providers, pawnshops, travel agents and financial institutions by (i) requiring such enterprises to report material data breaches to the relevant industry competent authority within a specified period (e.g. 72 hours) and / or (ii) requiring such competent authorities to further report such breach to the NDC within 72 hours of becoming aware of the breach. Such steps are now being implemented or will shortly become effective. Also, the term “material data breach”, subject to the relevant regulations, in general means a situation where personal data is stolen, altered, damaged, destroyed or disclosed, and such will endanger the normal business of the data collector, or the rights and interests of a large number of data subjects (“large” has not been defined).

Last modified 18 December 2023

Currently, there is no formal requirement in Tajikistan to report data breaches to any authority or data subject.

Last modified 27 January 2025

Data controllers must promptly notify any personal data security breach to the Commission. The breaches notifiable are any security breaches which affect personal data being processed on behalf of the data controller.¹

Mandatory breach notification

As advised above, it is mandatory for every data controller to, promptly, notify the Commission of any breach of security that may affect personal data which is being processed on their behalf.

Footnotes

1: Section 27(5) of the DPA

Last modified 25 January 2024

General provisions of the PDPA provide that, in the event of a Personal Data Breach, Data Controllers must report the breach to the Regulator without undue delay, and in any event, if feasible, within 72 hours of becoming aware of it. Data Controllers also have an obligation to notify the data subjects of the breach and the remedial measures if the breach is likely to result in high risks to the rights and freedoms of individuals.

Notification of the Regulator on Rules and Methods of Personal Data Breach Notification B.E. 2565 (2022), a subordinate regulation under the PDPA, prescribed a general procedure upon the Data Controller who is being informed, or becomes aware of actual or potential Personal Data Breach, which includes the following:

To conduct an initial investigation concerning the Personal Data Breach, to confirm that there is actually a breach and assess the risk that may affect the rights and freedoms of individuals.
If there is a high risk that the Personal Data Breach may affect the rights and freedoms of individuals, the Data Controller shall take action to prevent, suppress, or rectify in order to stop the breach from causing additional impacts.
If there is reasonable ground to believe that there was a Personal Data Breach, the Data Controller shall notify the Regulator of the said breach without undue delay, and where feasible, within 72 hours of becoming aware of such breach.
If Personal Data Breach has a high risk where it may affect the rights and freedoms of individuals, the Data Controller shall notify the affected data subject of the breach, together with the remedial measures taken. Such notification to the data subject shall be given without undue delay.
Reviewing security measures or taking any other necessary and suitable measures to stop, respond, rectify, or rehabilitate the current situation, and prevent the impacts of a Personal Data Breach of the same nature from arising in the future.

The breach notification given to the Regulator shall be in written or electronic form (or other methods prescribed by the Regulator) and shall include details such as brief information regarding the nature and category of personal data involved in the Personal Data Breach, Data Controller or DPO contact information, information relating to the impacts that may arise, and measures that the Data Controller uses, or will use to prevent, stop, or rectify the Personal Data Breach.

Where the Data Controller fails to notify the Regulator within 72 hours, the Data Controller shall be subjected to an administrative fine (not exceeding THB 3 million). In this regard, the Data Controller may request to be exempted from the liability for the delayed notification of a Personal Data Breach, by clarifying the reasons and the showing that the delay was caused by unavoidable necessities. Such request must be made to the Regulator, not exceeding 15 days of becoming aware of the breach.

Additionally, if the Data Controller views that the Personal Data Breach is unlikely to result in a risk to the rights and freedoms of individuals, the Data Controller may request to be exempted from the breach notification requirement (i.e. to be exempted from notifying the Regulator in accordance with the list of information). In doing so, the Data Controller must provide the Regulator with information, documents, or evidence to support such a request.

Last modified 6 January 2025

None.

Last modified 15 February 2022

There is no provision in the DPA for notifying data subjects or the Information Commissioner of a security breach.

Last modified 26 January 2023

Under Tunisian Law, it is up to the person in question to make this kind of notification, or to its heirs and agents in certain circumstances.

Also, under the terms of Decree-Law no. 2023-17 of March 11, 2023 on cybersecurity, companies engaged in the automated processing of the personal data of people with whom they come into contact as part of the provision of their services via telecommunications networks must inform the National Cybersecurity Agency (ANCS) in the event of a cyberattack.

Mandatory breach notification

The public prosecutor in the jurisdiction where the investigation takes place shall be informed by The National Authority for Protection of Personal Data of any offenses that it has detected.

Last modified 27 January 2025

There is no explicit definition of a data breach under Turkish Law. However, a breach can be defined as illegal acquisition of personal data by others / third parties.

The LPPD does not contain any thresholds for a notifiable breach. Therefore, all breaches (“illegal acquisition of personal data by others / third parties”) are notifiable to the Authority (within 72 hours) and to concerned data subjects (as soon as possible) without any criteria / threshold.

Under the LPPD, controllers must notify the data subject and the Data Protection Authority in case of a data breach. The Data Protection Authority reserves the right to inform the public about the breach if it deems necessary.

While there is no specific time frame stipulated in the LPPD, with the decision numbered 2019/10, which was published on February 15 2019, the Data Protection Authority stipulated the procedure for breach notifications, which can be found online.

Notification to the Data Protection Authority

Pursuant to Decision 2019/10, data controllers are required to notify the Data Protection Authority within 72 hours of becoming aware of a breach.

In cases where the notification cannot be sent within 72 hours, the causes for the delay must be sent as well.

Further, with the Decision 2019/10, the Data Protection Authority published the Data Breach Notification Form, which can be accessed here.

For all data breach notifications sent to the Data Protection Authority, the Data Breach Notification Form must be used. If it is not possible to fill out all of the information in the Data Breach Notification Form, a partially filled form may be sent to the Data Protection Authority. Therefore, gradual breach notification is possible.

The data breach notification sent to the Data Protection Authority can be sent via e-mail by sending the Data Breach Notification Form to [email protected] with the subject “Kisisel veri ihlali bildirimi” or via the Data Protection Authority’s module.

Alternatively, the form can be sent by post to the Data Protection Authority’s address.

Notification to Data Subjects

There is no clear time frame stipulated for notification to data subjects. The LPPD and the Decision 2019/10 require the data subjects to be notified “as soon as possible”. Notifications can be sent to data subjects directly if the data controller has their contact information. If not, any other appropriate way can be used, such as announcing the breach in data controller’s website.

Other requirements

Pursuant to Decision 2019/10, data controllers are required to prepare a “Data Breach Response Plan” which should specify who, within the organization, should be contacted in the event of a data breach. This person will be the primary person responsible for assessing the consequences of such a breach.

Further, there is a requirement to retain the records regarding (i) information on the data security breach, (ii) impacts of the breach, and (iii) measures taken, and to make these available for a possible assessment by the DPA.

Last modified 27 January 2025

Data Protection Law does not provide for any provisions regarding breach notification requirements. In other words, data operators are not obliged to notify the owners of personal data regarding any identified or potential confidentiality breach. However, the Data Protection Law envisages that data operators are obliged to block any personal data within one working day, if there is risk that a breach occurred.

Last modified 23 December 2022

In the event of a breach of any Personal Data held by a Data Processor, the Data Processor shall inform the Data Controller of the incident without undue delay after becoming aware of the Personal Data Breach (Section 32(2) DPR).

If a Data Controller becomes aware of a Personal Data Breach, the Data Controller must inform the Commissioner of Data Protection of the incident without undue delay, and where feasible, not later than 72 hours after becoming aware of it (Section 32(1) DPR).

When the Personal Data Breach is likely to result in a high risk to the rights of natural persons, the Controller must communicate the Personal Data Breach to the Data Subject without undue delay.

Last modified 9 January 2024

If there is a Personal Data breach that compromises a Data Subject's confidentiality, security or privacy, the data Controller must, as soon as practicable in the circumstances (note that unlike the GDPR there is no hard deadline), notify the Personal Data breach to the Commissioner. Such notifications must include, at a minimum, the following information:

description of the nature of the Personal Data breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate amount of Personal Data records concerned;
the name and contact details of the DPO or other contact point where more information can be obtained;
a description of the likely consequences of the Personal Data breach; and
describe the measures taken or proposed to be taken by the Controller to address the Personal Data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where, and in so far as, it is not possible to provide all of the information at (a) – (d) at the same time, the information may be provided in phases, as it becomes available.

In addition, Processors must notify Controllers without undue delay after becoming aware of a Personal Data breach.

Controllers and Processors must fully co-operate with any investigation of the Commissioner in relation to a Personal Data breach.

Controllers must also document in writing any Personal Data breaches, including the facts relating to the Personal Data breach, its effects and the remedial action taken. The information recorded must be sufficient to enable the Commissioner to verify compliance with the law and must be made available without delay on request.

(Article 41 DPL)

A Controller must make a notification to a Data Subject as soon as practicable in the circumstances (again, no hard deadline is mandated under the DPL or DPRs) where a Personal Data breach is likely to result in a high risk to the security or rights of a Data Subject. If there is an immediate risk of damage to the Data Subject, the Controller must promptly communicate with the affected Data Subject (for example, where his or her banking details are the subject of the breach).

Where a communication to the individual Data Subjects would involve disproportionate effort, a public communication or similar measure whereby the Data Subjects are informed in an “equally effective manner” will be sufficient.

Such notifications must include, at least, the information listed in (b) – (d) above, in clear and plain language. It must also, where possible, make recommendations for the Data Subject to mitigate against any potential adverse effects.

The Guidance to the DIFC DPL (“Guidance”) recommends that Controllers and Processors have in place an incident management policy which enables them to comply with the law in a timely fashion. It recommends clear incident classification as well as setting out the reporting requirements (including who to notify and when, with time being of the essence).

(Article 42 DPL)

Last modified 27 January 2025

There is no specific requirement set out in the HDPR obliging a Licensee to inform the CPQ in the event of a breach. Licensees are required to inform the Customer Protection Unit (within CPU) on a periodic basis of any security incidents.

Last modified 27 January 2025

Article 9 of the PDPL requires that the Controller shall, immediately upon becoming aware of any infringement or breach of the Personal Data of the Data Subject that would prejudice the privacy, confidentiality and security of such data, report such infringement or breach and the results of the investigation to the Office within such period and in accordance with such procedures and conditions as set by the Executive Regulations. At the date of writing this update, the Executive Regulations have not yet been published.

Additional breach notification obligations may also apply under Article 6 of the Consumer Protection Regulation, which requires Licensed Financial Institutions to notify the CBUAE of "significant breaches" of Consumer. Licensed Financial Institutions must also notify Consumers "without undue delay" where a breach "may pose a risk to the financial and personal security of the Consumer. Licensed Financial Institutions are also liable to reimburse Consumers for actual harm suffered from a data breach.

Last modified 27 January 2025

Section 23 of the Data Protection and Privacy Act and Regulation 33 of the Data Protection and Privacy Regulations impose a duty on a data processor, data collector or data controller to immediately notify the Personal Data Protection Office, where there is reasonable belief that personal data has been accessed or acquired by an unauthorised person. The Data Protection Office is then charged with determining whether or not the affected data subjects should be notified of the breach, and guiding the reporting entity on the manner of such notification.

Data collectors, processors and controllers registered with the Office are required to submit an annual report summarizing any data breaches suffered and how they were addressed.

Last modified 27 January 2025

There is no requirement to report data security breaches or losses to the appropriate state authority.

Last modified 27 January 2025

The UK GDPR contains a general requirement for a personal data breach to be notified by the controller to the ICO, and for more serious breaches to also be notified to affected data subjects. A "personal data breach" is a wide concept, defined as any "breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed" (Article 4).

The controller must notify a breach to the ICO without undue delay, and where feasible, not later than 72 hours after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and freedoms of natural persons. When the personal data breach is likely to result in a high risk to natural persons, the controller is also required to notify the affected data subjects without undue delay (Article 34).

Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming aware of the breach (Article 33(2)).

The notification to the ICO must include where possible the categories and approximate numbers of individuals and records concerned, the name of the organisation’s data protection officer or other contact, the likely consequences of the breach and the measures taken to mitigate harm (Article 33(3)).

Controllers are also required to keep a record of all data breaches (Article 33(5)) (whether or not notified to the supervisory authority) and permit audits of the record by the ICO.

Breaches in the United Kingdom can be reported to the ICO's dedicated breach helpline during office hours (+44 303 123 1113). Outside of these hours (or where a written notification is preferred) a pro forma may be downloaded and emailed to the ICO.

Last modified 6 February 2025

All 50 US states, Washington, DC, and most US territories (including, Puerto Rico, Guam and the Virgin Islands) have passed breach notification laws that require notifying state residents of a security breach involving more sensitive categories of information, such as Social Security numbers and other government identifiers, credit card and financial account numbers, health or medical information, insurance ID, tax ID, birthdate, as well as online account credentials, digital signatures and/or biometrics.

Under many state laws, where more than 500 individuals are impacted, notice must also be provided to credit bureaus. Nearly half of states also require notice to state Attorneys General and / or other state officials of certain data breaches. Further, certain states require impacted individuals to be provided with credit monitoring services for specified lengths of time if the breach involved Social Security numbers. Finally, some state data breach laws impose certain (varying) notice content and timing requirements with respect to notice to individuals and to state Attorneys General and/or other state officials.

Federal laws require notification in the case of breaches of healthcare information, breaches of information from financial institutions, breaches of telecom usage information held by telecommunication providers, and breaches of government agency information.

Last modified 6 February 2025

Data breaches and data incidents must be reported to the URCDP and to the Data Subject.

Once the DPO or the Data Controller confirms the occurrence of a security breach, it must be notified to the URCDP within 72 hours.

Notification to data subjects must be done once the DPO or the Data Controller confirms the occurrence of a security breach. The Uruguayan Data Privacy Act requires the notification to be effected “as soon as practicable”, but fails to spell out a precise time frame for such notice.

Legal requirement of the data breach/incident

Notification to the Regulator must contain relevant information, including the:
- certain or estimated date of the occurrence of the breach;
- main characteristics of the breach;
- details of the data affected; and
- the possible impacts.
The regulation does not state any formalities to the communication to the Data subject. However, it states that such notification must be clear and simple.

After the first notification to the Regulator within the first 72 hours after the Data Breach/incident, a second communication must be done by the DPO or the Data Controller to the Regulator. The second report must indicate all the details of what happened and the measures that were adopted and carried out so that such violation/incident has been mitigated and does not occur again. The Act does not state a time frame for execution of the second report.

Last modified 28 January 2024

There is no requirement on breach notification under the Law on Personal Data. However, in case of violation of data processing rules (e.g. unauthorized data processing), the owner / operator of personal data must suspend processing of personal data or destroy them.

Last modified 27 January 2025

There is no legal obligation to disclose a data breach.

Mandatory Breach Notification

It is not mandatory to disclose a data breach.

Last modified 12 December 2022

The laws of Vietnam introduced a general requirement for the reporting and notification of actual or suspected personal information security incidents. A data breach reporting / notification requirement in Vietnam will be triggered if the data incident falls within any of the following scenarios:

Scenario 1. The affected data system is located in Vietnam.

Scenario 2. The services provided to customers in Vietnam fall under the categories of Regulated Services, including (1) telecommunication services; (2) data storage and sharing in cyberspace; (3) services providing national or international domain names to service users in Vietnam; (4) e-commerce; (5) online payment; (6) payment intermediary; (7) connecting transportation in cyberspace; (8) social networks and social media; (9) online games; and (10) other services that provide, manage and operate information in cyberspace in the form of messages, voice calls, video calls, email, or online chatting.

Scenario 3. The incident causes “significant loss” to the legitimate rights and interests of the affected Vietnamese persons.

Where there is a data security incident, organizations must promptly take relevant measures to mitigate and notify relevant data subjects and / or relevant competent State authorities, as the case may be, in a timely manner, e.g. 5 days after detection of the security incident, and must provide an update on the incident status when it is completely resolved. Affected organizations and individuals must be notified of the data incident if the incidents fall under Scenario 2 or Scenario 3.

In the case of an incident under Scenario 1 that is beyond the control of the organization, the operator of the information system must immediately prepare an initial report on the incident to report such incident to the relevant agencies and a final report on response to the incident within five days after finishing responding to the incident. Moreover, if the information system of a trader, organization or individual engaged in e-commerce is attacked causing risk of loss of consumer’s information, the data controller must notify the authorities within 24 hours after the detection of incident.

Normally, the data controller would be required to give relevant notifications to the following State authorities:

Local police agency (i.e. A05 under the MPS with regard to offshore service providers, provincial police department where the head office of data controller is located); and
VNCERT/CC directly managed by the AIS under the MIC.

Scenario 4: The PDPD sets out a reporting requirement that upon detection of any violation against regulations on personal data protection (which can be interpreted to include data breach incidents), the controller / controller-processor shall notify the A05 within 72 hours of the occurrence of such violation. The reason for late notification, if any, must be provided.

The information to be notified will include:

Description of the nature of the violation, including: time, place, violation, organization, individual, types of personal data and the amount of relevant data;
Contact details of the employee(s) assigned to protect the data or organizations or individuals that are responsible for protecting personal data;
Description of consequences and damage that may occur;
Description of measures for handling and minimizing the harm caused by the violation.

If the abovementioned contents cannot be fully notified, the notification may be made in multiple stages. Thereafter, the controller / controller-processor shall prepare written minutes confirming the occurrence of the violation of the regulations on personal data protection, and coordinate with the A05 to handle the violation. In practice, as the 72-hour timeframe is very tight, more often than not, data controllers find it very challenging to comply with this timeframe. To the best of our knowledge, the regulator has not yet penalized any data controllers that filed the report, but failed to meet the deadline.

In addition to the four scenarios mentioned above, data breach notification requirements are also imposed by sector-specific laws / regulation, such as laws / regulations governing financial services, e-commerce services, etc.

Last modified 20 January 2025

A data controller shall notify the Data Protection Commissioner within twenty-four hours of any security breach affecting personal data processed.

A data processor shall notify the data controller, as soon as practicable of any security breach affecting personal data processed on behalf of the data controller.

A data controller or data processor shall notify the data subject, as soon as practicable of any security breach affecting personal data processed.

Mandatory breach notification

A data controller shall notify the Data Protection Commissioner within twenty-four hours of any security breach affecting personal data processed.

A data processor shall notify the data controller, as soon as practicable of any security breach affecting personal data processed on behalf of the data controller.

A data controller or data processor shall notify the data subject, as soon as practicable of any security breach affecting personal data processed.

Last modified 27 January 2025

Data controllers must report data breaches to the Authority within 24 hours of becoming aware of a breach affecting the data they or their processor handles.

If a breach poses a high risk to individuals' rights and freedoms, the data controller must inform the affected data subjects within 72 hours.

Last modified 27 January 2025

Quick links

Data Protection in Albania

Breach notification

Controller’s notification to the Commissioner (Article 29)

Controller’s notification to the data subjects (Article 29)

Processor’s notification to the controller (Article 29)

Administrative measures

Criminal sanctions

Mandatory breach notification

Mandatory breach notification

National Ordinance Person Registration

GDPR

Eligible data breaches

Other notification obligations

Mandatory breach notification

EU regulation

Belgium regulation

Personal Data Protection Act BES

GDPR

Mandatory Breach Notification

EU regulation

Bulgaria regulation

Mandatory breach notification

Mandatory breach notification

Mandatory breach notification

EU regulation

Croatia regulation

Mandatory breach notification

National Ordinance Personal Data Protection

GDPR

EU regulation

Cyprus regulation

Mandatory breach notification

EU regulation

Denmark regulation

Mandatory breach notification

Mandatory breach notification

EU regulation

Estonia regulation

EU regulation

Finland regulation

EU regulation

France regulation

Mandatory breach notification

EU regulation

Germany regulation

Mandatory breach notification

EU regulation

Greece regulation

Parallel application of data protection and cybersecurity law

Mandatory breach notification

What is a breach?

Notice to ODPA

Notice to data subjects

Notice to controller (where a processor is engaged)

Other regulatory notification requirements

Mandatory breach notification

EU regulation

Iceland regulation

Reporting obligations to relevant authorities

Notification obligations to relevant data subject

EU regulation

Ireland regulation

EU regulation

Italy regulation

Mandatory breach notification

Section 43 of the Act

Mandatory Breach Notification

Breach notification to the IPA

Breach notification to the Data Subject

EU regulation

Latvia regulation

Mandatory breach notification

Mandatory breach notification

EU regulation

Lithuania regulation

EU regulation

Luxembourg regulation

EU regulation

Malta regulation