A notification to the data protection supervisory authority is always required if a data breach has occurred and a risk has arisen for persons affected by the data breach. Such a data breach always occurs when there has been a breach of data security (e.g. hacker attack) and a risk has arisen as a result (e.g. because the hacker has demonstrably accessed the exposed data (for more details: data breach cluster).

In einem solchen Fall muss die für das Unternehmen zuständige Datenschutzaufsicht innerhalb von 72 Stunden benachrichtigt werden und die gesetzlich definierten Informationen bereitgestellt werden. Hierzu zählen:

• Description of the nature of the breach: categories and approximate number of data subjects concerned, categories and approximate number of personal data records concerned
• Name and contact details of data protection officer or other contact point for more information
• Likely consequences of personal data breach
• Description of measures taken or proposed to be taken by controller to address personal data breach (including measures to mitigate possible adverse effects).

In addition to the reporting requirements, the controller must document any personal data breach (including description, effects of breach and remedial action taken).

The reporting of a data breach must be fulfilled by the controller. If the data breach takes place on the side of the processor, the latter is obliged to inform the controller. The deadline for such a processor notification is normally specified in a commissioned data processing agreement.

The involvement of the authority enables an independent treatment of the data breach. The authority may instruct the controller on how the breach should be handled. The authority has e.g. the power to direct the controller to inform the data subjects of the breach (even if the controller is of the opinion that the breach does not include a high risk.