Data Protection Breach Scenarios for Discussion
Explore examples of personal data breaches and discuss the necessary actions controllers must take in notifying supervisory authorities and data subjects. Topics include stolen USB keys, accidental email disclosures, and cyber attacks.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
JUDICIAL TRAINING ON DATA PROTECTION AND PRIVACY RIGHTS Zadar, 29 June 2022 BREACHES OF PERSONAL DATA-EXAMPLES Jonika Marflak Trontelj, LLM Higher Court Judge Administrative Court of the Republic of Slovenia [AD/2022/06] With financial support from the Justice Programme of the European Union
1. EXAMPLE A controller stored a backup of personal data, which were encrypted on a USB key. The USB key is stolen. Question for discussion: - Does the controller need to notify this event to the supervisory authority (and) the data subject? - Is the answer different, if the key or password is later compromised? With financial support from the Justice Programme of the European Union
2. EXAMPLE The controller accidentally sent a bulk mail to invite a small number of people to a community event, using the to and not the bcc field, thereby enabling each recipient to see the mail address of other recipients. Question for discussion: Does the controller need to notify this event to the supervisory authority (and) the data subject? 3
3. EXAMPLE The controller sent a bulk mail to a group of people who are receiving mental health counselling from the controller and the context identified health information about those people, using the to and not the bcc field, thereby enabling each recipient to see the mail address of other recipients. Question for discussion: Does the controller need to notify this event to the supervisory authority (and) the data subject? 4
4. EXAMPLE A brief power outage lasting several minutes at a mobile phone company s call centre, meaning customers are unable to call the company (controller) and access their records. Question for discussion: Does the controller need to notify this event to the supervisory authority (and) the data subject? 5
5. EXAMPLE A controller maintains an online service. As a result of a cyber attack on that service, personal data of individuals are exfiltrated. Question for discussion: Does the controller need to notify this event to the supervisory authority (and) the data subject? 6
6. EXAMPLE Hackers had stolen nearly 3 million encrypted customer credit card records, plus login data for an undetermined number of user accounts. Question for discussion: Does the controller need to notify this event to the supervisory authority (and) the data subject? 7
7. EXAMPLE Medical records in a hospital are uneavailable for the period of 24 hours due to a cyber-attack. Question for discussion: Does the controller need to notify this event to the supervisory authority (and) the data subject? 8
8. EXAMPLE An individual informes a bank, that he/she received a monthly statement of someone else. Question for discussion: Does the controller need to notify this event to the supervisory authority (and) the data subject? 9
You can find more examples in the Guidelines on Personal data breach notification under Regulation 2016/679 10
