Part 5Data protection and privacy
Chapter 2Privacy and electronic communications
111Duty to notify the Commissioner of personal data breach: time periods
(1)
In regulation 5A of the PEC Regulations (personal data breach)—
(a)
in paragraph (2), after “delay” insert “and, where feasible, not later than 72 hours after having become aware of it”
, and
(b)
“(3A)
Where notification under paragraph (2) is not made within 72 hours, it must be accompanied by reasons for the delay.”
(2)
In regulation 5C of the PEC Regulations (personal data breach: fixed monetary penalty)—
(a)
in paragraph (4)(f), for “from the service of the notice of intent” substitute “beginning when the notice of intent is served”
, and
(b)
in paragraph (5), for “21 days of receipt of the notice of intent” substitute “the period of 21 days beginning when the notice of intent is received”
.
(3)
In Article 2 of Commission Regulation (EU) No 611/2013 of 24 June 2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications (notification to the Commissioner)—
(a)
in paragraph 2—
(i)
in the first subparagraph, for the words from “no” to “feasible” substitute “without undue delay and, where feasible, not later than 72 hours after having become aware of it”
,
(ii)
in the second subparagraph, after “shall” insert “, subject to paragraph 3,”
, and
(iii)
“This paragraph is to be interpreted in accordance with Article 3 of Regulation (EEC, Euratom) No. 1182/71 of the Council of 3 June 1971 determining the rules applicable to periods, dates and time limits.”, and
(b)
“3.
To the extent that the information set out in Annex 1 is not available to be included in the notification, it may be provided in phases without undue further delay.”