(1)If a controller becomes aware of a personal data breach in relation to personal data for which the controller is responsible, the controller must notify the breach to the Commissioner—
(a)without undue delay, and
(b)where feasible, not later than 72 hours after becoming aware of it.
(2)Subsection (1) does not apply if the personal data breach is unlikely to result in a risk to the rights and freedoms of individuals.
(3)Where the notification to the Commissioner is not made within 72 hours, the notification must be accompanied by reasons for the delay.
(4)Subject to subsection (5), the notification must include—
(a)a description of the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
(b)the name and contact details of the data protection officer or other contact point from whom more information can be obtained;
(c)a description of the likely consequences of the personal data breach;
(d)a description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
(5)Where and to the extent that it is not possible to provide all the information mentioned in subsection (4) at the same time, the information may be provided in phases without undue further delay.
(6)The controller must record the following information in relation to a personal data breach—
(a)the facts relating to the breach,
(b)its effects, and
(c)the remedial action taken.
(7)The information mentioned in subsection (6) must be recorded in such a way as to enable the Commissioner to verify compliance with this section.
F1(8). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
(9)If a processor becomes aware of a personal data breach (in relation to personal data processed by the processor), the processor must notify the controller without undue delay.
Textual Amendments
F1S. 67(8) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 39 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)