How do I contact John Desilvia contractor

Violation of data protection

Data breach vs. data breach

The words data breach, data protection breach and data protection breach are mostly used interchangeably, although there is a difference between these terms:

Data protection breach: The term data protection violation is understood to mean any violation of the General Data Protection Regulation. Depending on the severity of the violation, a distinction is made between

  • Administrative offenses and
  • Offenses.

Data breach: A data protection breach only exists if it involves a "breach of the protection of personal data". According to Art. 33 GDPR and Art. 4 No. 12 GDPR, this only applies if it is

  • there is a breach of security,
  • which, whether unintentional or unlawful, leads to the destruction, loss, alteration or unauthorized disclosure of or unauthorized access to personal data,
  • that have been transmitted, stored or otherwise processed. "

Data protection breach: A data protection breach is also known colloquially as a data protection breach.


When is there a data breach?

A data breach doesn't necessarily have to be something big like a hacker attack, but can also be caused by an unencrypted USB stick that was lost in the subway, for example. In any case, it is important to report the data protection breach to the responsible supervisory authorities within 72 hours in order to limit the damage. It also makes sense to involve your internal or external data protection officer beforehand, who will help you assess the incident and take the next steps. Failure to report may result in a fine in the millions (up to 20 million euros or up to 4% of annual sales). In addition, the damage to a company's image caused by a hushed up data protection breach should not be underestimated.

Important to know: If you are a processor and your data protection has been violated, a report must be made to the person responsible (= client) as soon as it becomes known. This must then contact the supervisory authorities and report. The processor has an obligation to cooperate and must report immediately (Art. 33 II GDPR).


First aid for data protection violations

What should you do in the event of a data breach in your company? We have put together a downloadable guide to give you an overview. It is important that all employees of a company are made aware of this issue in order to be able to react quickly and correctly in an emergency.

FAQ on breach of data protection

When do I have to report a data breach?

A report must be made to the data protection supervisory authority if a breach of data protection has been determined and this can likely lead to a risk for the rights and freedoms of a person concerned. The Reporting requirement According to Art. 33 GDPR, there is always a violation of data protection. No reporting requirement exists, however, if the data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

It is therefore a so-called risk assessment to make whether a low or high risk has arisen for the data subjects as a result of the data protection breach.

Examples of a high risk:

  • Loss of an unencrypted US stick by a company with user information

  • Passwords or other sensitive data Sending an email to several customers in the open distribution list

  • Sending health data to wrong patients

Examples of a small risk:

  • Loss of an encrypted laptop, USB stick or smartphone

  • Wrong letter, but it came back unopened

  • Unauthorized third party access to data that is encrypted

According to Art. 33 GDPR, a breach of data protection must occur within 72 hours reported to the competent supervisory authority.

Do I also have to inform the data subjects about a data breach?

In addition to the reporting obligation, according to Art. 34 GDPR it may also be necessary that inform the natural persons concerned about the data breach and the consequences of this data breach for the person concerned. The regulations state that the data subject only needs to be notified if the protection breach causes a particularly high risk for the personal rights and freedoms of those affected.

Such a risk lies above all with special categories of personal data according to Art. 9 Paragraph 1 GDPR (e.g. data on the state of health, ethnic origin) as well as with personal data on criminal convictions or authentication data, for example the email inbox .

How do I report a data protection violation?

In the event of data protection breaches, there is an obligation to report: The report must be made to the respective competent supervisory authority of the federal state in which the violation was committed. Most data protection authorities provide online forms for reporting data protection violations. You can find this on the website of your competent supervisory authority.

The report to the supervisory authority must at least the following information contain (Art. 33 Para. 3 GDPR):

  • Description of the nature of the personal data breach

  • Categories of data subjects and the approximate number of data subjects, the categories concerned and the approximate number of personal data records affected

  • Name and contact details of the data protection officer appointed by the company or another point of contact for further information

  • Description of the likely consequences of the personal data breach

  • Description of measures taken and proposed to remedy the personal data breach and to mitigate its consequences

What happens if I don't make a report or notification?

If the person responsible fails to report to the supervisory authority as required, this can be a violation according to Article 83 (4) (a) GDPR with a Fine of up to 10 million euros or up to 2 percent of the worldwide annual turnover can be penalized. An incomplete report, an omitted partial report and the missing or incomplete documentation of the data protection breach are also to be assessed as a violation by the person responsible.

If the person responsible fails to do what is required under Art. 34 GDPR Notification of the person concerned, the supervisory authority can also punish the violation with a fine in accordance with Article 83 (4) (a) GDPR.

A data protection breach can also be a immaterial damage mean. A lasting loss of trust and an immense damage to the image of customers, employees and business partners can be the result.

So don't hesitate, contact us immediately after discovering a data protection breach in your company!

Damage to reputation due to a data breach or data protection breach

In the event of a data protection breach, for example as a result of hacker attacks or your own gaps in the IT area, a company will suffer Data loss or also for improper disclosure of data. According to Art. 33 and Art. 34 GDPR, the GDPR provides for an obligation to inform both the data protection authority and the data subjects. The information obligation concerns very sensitive personal data such as health data or account data. More serious than the sanctions that the GDPR provides can be Damage to image and Reputation damage that a company experiences through data breaches.

EU citizens exercise their data protection rights

The number of complaints regarding data protection violations increased enormously in 2018. The new EU GDPR has increased the citizens' awareness of their data protection rights. You are this Value of your personal data aware and ready to report suspected violations.

This affects, among other things, companies where a Raising employee awareness for the topic of data protection has taken place. The Number of reported data breaches from 2017 to 2018 has changed multiplied. The relevance and explosiveness of the subject of data protection also seem to have arrived in companies. No prison sentence was imposed, but drastic fines to be paid by companies.

Business model data protection lawsuit?

In the event of a breach of data protection, financial losses have usually been asserted so far. With the GDPR, asserting non-pecuniary damage has become much easier, because it is not uncommon for a large number of people to be affected by data protection incidents, which harbors an enormous risk of compensation for companies. For these claims there are - at the moment still a few, but in increasing numbers - already some providers in Germany who are asserting such claims for immaterial damages due to data protection violations according to Art. 82 GDPR on a large scale. This is comparable to the portals for asserting claims for compensation in the event of flight delays. These procedures are often automated using legal tech applications in order to advance as many procedures as possible at the same time.

New legal situation after judgment

So far, this practice has been very controversial, but a judgment of the Labor Court (ArbG) Düsseldorf from 05/05/2020 could now change this. In these proceedings, a company was sentenced to € 5,000 in damages for a data protection breach due to late or incomplete information to an ex-employee. The reason: Even the incorrect provision of such information constitutes non-material damage that can be compensated under Art. 82 GDPR. The judges' statement that the compensation must be a deterrent is particularly noteworthy. The financial performance of the company was therefore taken into account in the assessment.

It is foreseeable that cases like this will continue to occupy the courts across the board. If other courts, in particular the Düsseldorf Regional Labor Court, should follow the views of the ArbG Düsseldorf on appeal, the controversial ruling on the "GDPR lawsuit" should probably lead to Blueprint for the "data protection lawsuit" business model become. In the future, companies will then be confronted with a large number of claims for damages according to Art. 82 GDPR.

It will also be exciting to see how this potential line of business will continue.

Do you need help with data protection or do you have questions about data protection violations?
We would be happy to advise you without obligation on our individual data protection solutions.

Other topics that might interest you

Current posts on the topic of "Violation of data protection"