Article 2U.K.Notification to the competent national authority
1.The provider shall notify all personal data breaches to the competent national authority.
2.The provider shall notify the personal data breach to the competent national authority no later than 24 hours after the detection of the personal data breach, where feasible.
The provider shall include in its notification to the competent national authority the information set out in Annex I.
Detection of a personal data breach shall be deemed to have taken place when the provider has acquired sufficient awareness that a security incident has occurred that led to personal data being compromised, in order to make a meaningful notification as required under this Regulation.
3.Where all the information set out in Annex I is not available and further investigation of the personal data breach is required, the provider shall be permitted to make an initial notification to the competent national authority no later than 24 hours after the detection of the personal data breach. This initial notification to the competent national authority shall include the information set out in Section 1 of Annex I. The provider shall make a second notification to the competent national authority as soon as possible, and at the latest within three days following the initial notification. This second notification shall include the information set out in Section 2 of Annex I and, where necessary, update the information already provided.
Where the provider, despite its investigations, is unable to provide all information within the three-day period from the initial notification, the provider shall notify as much information as it disposes within that timeframe and shall submit to the competent national authority a reasoned justification for the late notification of the remaining information. The provider shall notify the remaining information to the competent national authority and, where necessary, update the information already provided, as soon as possible.
4.The competent national authority shall provide to all providers established in the Member State concerned a secure electronic means for notification of personal data breaches and information on the procedures for its access and use. Where necessary, the Commission shall convene meetings with competent national authorities to facilitate the application of this provision.
5.Where the personal data breach affects subscribers or individuals from Member States other than that of the competent national authority to which the personal data breach has been notified, the competent national authority shall inform the other national authorities concerned.
To facilitate the application of this provision, the Commission shall create and maintain a list of the competent national authorities and the appropriate contact points.