> For the complete documentation index, see [llms.txt](https://doc.dastra.eu/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://doc.dastra.eu/en/useful-reminders/gdpr-key-concepts/data-breaches.md). # Data breach notifications ### ๐Ÿ“– Definition According to [Article 4.12 of the GDPR](https://gdpr-info.eu/art-4-gdpr/), a **personal data breach** is: > *A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.* In other words, it is any **security incident**, whether **intentional or accidental**, that compromises: * **Confidentiality** (unauthorised access, disclosure), * **Integrity** (alteration, falsification), * **Availability** (loss, deletion, unavailability). *** ### โš ๏ธ Typical examples * Accidental deletion of medical data not saved elsewhere. * Loss of an unencrypted USB key containing a customer database. * Server hack exposing email addresses and passwords. * Email containing personal data sent to the wrong recipient. * HR information leak on an unsecured shared space. *** ### ๐Ÿงฉ Three main types of breach | Type | Description | Example | | ------------------- | ------------------------------------------ | ------------------------------ | | **Confidentiality** | Unauthorised access or disclosure | Data leak through phishing | | **Integrity** | Unauthorised modification or falsification | Alteration of a medical record | | **Availability** | Accidental loss or destruction | Data deleted without backup | *** ### ๐Ÿ•“ Legal obligations for the data controller #### 1๏ธโƒฃ Notification to the supervisory authority * **Deadline**: 72 hours after becoming aware of the breach. * **Content**: nature of the breach, categories and volume of data involved, likely consequences, measures taken or planned. > If notification cannot be made within 72 hours, the **delay must be justified**. ๐Ÿ“š Reference: [Article 33 of the GDPR](https://gdpr-info.eu/art-33-gdpr/) *** #### 2๏ธโƒฃ Communication to data subjects If the breach **presents a high risk to individuals' rights and freedoms**, they must be informed **without undue delay**: nature of the breach, data affected, measures taken, recommendations (e.g. change password). ๐Ÿ“š Reference: [Article 34 of the GDPR](https://gdpr-info.eu/art-34-gdpr/) *** #### 3๏ธโƒฃ Mandatory internal documentation Even when no notification is required, **every breach must be recorded** in an internal register (facts, effects, corrective measures). This allows you to **demonstrate compliance** (accountability). *** ### ๐Ÿ” The breach management cycle 1. **Detection** โ†’ Identification of an incident or abnormal behaviour. 2. **Qualification** โ†’ Verify whether personal data is involved. 3. **Risk assessment** โ†’ Impact on individuals' privacy. 4. **Notification (if required)** โ†’ Supervisory authority within 72h, data subjects if high risk. 5. **Remediation** โ†’ Corrective and preventive measures. 6. **Documentation** โ†’ Entry in the breach register. 7. **Lessons learned** โ†’ Organisational or technical adjustments. *** ### ๐Ÿง  Security best practices * Prepare an **incident management plan** and test it regularly. * Train teams on **rapid detection and escalation** of incidents. * Implement **preventive measures** (MFA, network segmentation, backups). * Use a **centralised register** to track each breach and its resolution. *** ### ๐Ÿงพ Managing breaches in Dastra | Step | Dastra feature | | ------------ | ---------------------------------------------------------------- | | Declaration | Customisable breach report form | | Assessment | Automatic risk calculation for individuals' rights | | Notification | Report generation for the DPA and communication to data subjects | | Monitoring | Action log and remediation plan | | Reporting | Dashboards and compliance indicators | *** ### ๐Ÿ“š Useful resources * [ICO โ€“ Reporting a data breach](https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/) * [ENISA โ€“ Data Breach Notification Guidelines](https://www.enisa.europa.eu/) *** {% hint style="success" %} ๐Ÿ’ก **Good practice:** A quickly reported incident limits the impact, reinforces transparency and demonstrates compliance mastery. Dastra helps you structure and document each step of the process. {% endhint %} *** ### ๐Ÿ“˜ For more information {% content-ref url="/pages/-M31zD6jKngOCW1hmuCc" %} [Manage data breach notifications](/en/features/notifier-les-violations-de-donnees.md) {% endcontent-ref %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://doc.dastra.eu/en/useful-reminders/gdpr-key-concepts/data-breaches.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.