The provider shall notify all personal data breaches to the F2Information Commissioner.

The provider shall notify the personal data breach to the F3Information Commissioner F4without undue delay and, where feasible, not later than 72 hours after having become aware of it.

The provider shall F5, subject to paragraph 3, include in its notification to the F3Information Commissioner the information set out in Annex I.

Detection of a personal data breach shall be deemed to have taken place when the provider has acquired sufficient awareness that a security incident has occurred that led to personal data being compromised, in order to make a meaningful notification as required under this Regulation.

F6This paragraph is to be interpreted in accordance with Article 3 of Regulation (EEC, Euratom) No. 1182/71 of the Council of 3 June 1971 determining the rules applicable to periods, dates and time limits.

To the extent that the information set out in Annex 1 is not available to be included in the notification, it may be provided in phases without undue further delay.

The F8Information Commissioner shall provide to all providers established in the F9United Kingdom a secure electronic means for notification of personal data breaches and information on the procedures for its access and use. F10...

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .