41. Notification of Personal Data Breaches to the Commissioner
(1) If there is a Personal Data Breach that compromises a Data Subject's confidentiality, security or privacy, the Controller involved shall, as soon as practicable in the circumstances, notify the Personal Data Breach to the Commissioner.
(2) A Processor shall notify a relevant Controller without undue delay after becoming aware of a
Personal Data Breach.
(3) A Controller or Processor shall fully co-operate with any investigation of the Commissioner in relation to a Personal Data Breach.
(4) The notification referred to in Article 41(1) shall at least:
(a) describe the nature of the Personal Data Breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate amount of Personal Data records concerned;
(b) communicate the name and contact details of the DPO or other contact point where more information can be obtained;
(c) describe the likely consequences of the Personal Data Breach; and
(d) describe the measures taken or proposed to be taken by the Controller to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
(5) Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases when available.
(6) A Controller shall document in writing any Personal Data Breaches, comprising the facts relating to the Personal Data Breach, its effects and the remedial action taken. The information recorded shall be sufficient to enable the Commissioner to verify compliance with this Article and shall be made available without delay on request.42. Notification of Personal Data Breaches to a Data Subject
(1) When a Personal Data Breach is likely to result in a high risk to the security or rights of a Data Subject, the Controller shall communicate the Personal Data Breach to an affected Data Subject as soon as practicable in the circumstances. If there is an immediate risk of damage to the Data Subject, the Controller shall promptly communicate with the affected Data Subject.
(2) The communication to the Data Subject referred to in Article 42(1) shall describe in clear and plain language the nature of the Personal Data Breach and contain at least the information provided for in Articles 41(4)(b) to (d). Such communication shall, where possible, make recommendations for the Data Subject to mitigate potential adverse effects.
(3) Where a communication to the individual Data Subjects referred to in Article 42(1) will involve disproportionate effort, a public communication or similar measure by the Controller whereby the Data Subjects are informed in an equally effective manner shall be sufficient.
(4) If a Controller has not already communicated the Personal Data Breach to all relevant Data Subjects, the Commissioner may require it to do so, including where the Commissioner considers that there is a high risk to the security or rights of the Data Subjects involved, or otherwise direct it to make a public communication under Article 42(3).