What other information must the controller provide?

A personal data breach has occurred, and the controller is writing a draft notification for the supervisory authority.

The following information is already in the notification:

– The nature of the personal data breach and its possible consequences.

– Information regarding the parties that can provide additional information about the data breach.

What other information must the controller provide?
A . Information of local and national authorities that were informed about the data breach.
B . Name and contact details of the data subjects whose data may have been breached
C . Suggested measures to mitigate the adverse consequences of the data breach.
D . The information needed to access the personal data that have been breached.

View Answer

Answer: C

Explanation:

Information of local and national authorities that were informed about the data breach. Incorrect. The supervisory authority must be made aware of reports to supervisory authorities in other EEA countries. Reports to local authorities, for instance the police, do not need to be reported.

Name and contact details of the data subjects whose data may have been breached. Incorrect. The supervisory authority requires an estimate of the number of data subjects involved, not their personal data.

Suggested measures to mitigate the adverse consequences of the data breach. Correct. The controller should add suggested measures to mitigate the adverse consequences of the data breach. (Literature: A, Chapter 7; GDPR Article 33(q))

The information needed to access the personal data that have been breached. Incorrect. The supervisory authority needs to know the type of personal data involved, but does not need access to the data themselves.