You are currently viewing Personal Data Breach: Discover the Consequences of Non-Compliance and the Legal Penalties

Personal Data Breach: Discover the Consequences of Non-Compliance and the Legal Penalties

As a company or organization handling personal data, you need to be aware of the potential legal penalties for non-compliance with data protection regulations. If you want to become more acquainted with personal data, read our introductory article on personal data first.

Our comprehensive post will guide you through the essential aspects of Personal Data Breaches and their consequences.

What will we see in this post?

Woman violating personal data

What does a Personal Data Breach mean?

In today’s data-driven world, safeguarding personal information is paramount. The GDPR has established crucial principles and obligations for collecting, using, and processing personal data (find out more about this regulation in our article about the GDPR).

But what exactly constitutes a personal data breach under this regulation?

A Personal Data Breach occurs when data, for which your company or organization is responsible, is compromised due to an accidental or unlawful incident. This Breach can take various forms, including disasters, data loss, alterations, unauthorized disclosures, or unauthorized access to transmitted, stored, or processed Personal Data.

Non-compliance with data protection legislation can have severe consequences for your company. Violations may result in legal sanctions that can impact your business, including potential revenue losses stemming from Breaches of Personal Data Laws.

What should your company do in the event of a Personal Data Breach?

In the event of a Personal Data Breach, if there is a likelihood of a risk to the rights and freedoms of natural persons, your company, or organization should, within 72 hours of becoming aware of it:

  1. Notify the appropriate supervisory authority without undue delay.

The supervisory authority is an independent public authority tasked with monitoring the application of the GDPR in order to protect the fundamental rights and freedoms of natural persons with regard to the processing of their Personal Data and to facilitate the free movement of Personal Data in the Union.

  1. To notify the Data subject who suffered the Breach.

The type and procedures for information are defined in detail in the respective legislation of the states. If the risk is not notified within 72 hours, then you should justify the reasons for its delay to the competent supervisory authority.

In the event that the company/organization is the processor, then they must inform the controller as soon as they become aware of the Personal Data Breach.

According to Article 4 of the GDPR: “Processor” means a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.

“Controller” means the natural or legal person designated by each company to determine the purposes and means of the processing of personal data.

In addition, where the breach is likely to jeopardize the rights and freedoms of the natural person, the controller should inform the data subject of the Breach.

How does the supervisory authority act in the event of a Personal Data Breach?

In accordance with Article 58 (2) of Regulation 2018/1725, the supervisory authority has the power to take corrective action if during its audit it finds:

  1. If there is a possibility that the intended processing operations violate the personal data, then it gives a warning to the controller.
  2. If it is certain that the processing operations violate the GDPR Regulation, then the attributes reprimand to the controller of the company, prohibiting the processing of data and imposing fines of up to 20 million euros or up to 4% of the total turnover of the business in accordance with Article 83 (6) of the GDPR.

In any case, it is possible that the Data Protection Authority imposes a fine on the company either in combination with other measures such as reprimanding and prohibiting the processing of Personal Data or as an alternative to those measures.

Of course, as the Regulation characteristically states, “the imposition of the fine should be effective, proportionate, and dissuasive for each individual case”. In order to impose such a fine, the supervisory authority must always take into account certain factors such as the gravity, the duration of the Breach, the intention of the person who caused the Breach and whether the person responsible acted to remedy the situation.

What rights does the person who suffered the Personal Data Breach have?

The person who has suffered the Breach should contact the company processing their personal data, i.e. the company’s controller and the Data Protection Authority to report the Data Breach and request its confirmation.

Twitter's guide to reporting violations of the policy
Example from Twitter.com

In the event that the person has suffered some kind of damage, material (such as pecuniary) or non-pecuniary (such as mental damage), from the violation of the Regulation, they are entitled to compensation, by submitting a relevant request to the controller or processor for this damage. In particular, it is responsible for:

  • The controller when the damage was caused on their part by the processing in violation of the law.
  • The processor when the damage was caused by the processing, which did not meet the requirements of the law or the orders of the controller within the framework of its obligations.

Furthermore, if the controller or processor does not compensate the affected subject, then they may bring an action before the court either at their place of residence or at the place of establishment of the controller or processor.

Of course, it is worth noting that if there is more than one controller or processor in your company/organization, they are all responsible for any damage caused by it.

In particular, each controller or processor shall be liable for the total damage in order to ensure effective compensation of the data subject.

Thus, if one of the controllers/executors pays the compensation to the subject, they then have the possibility to claim a part of the compensation from the other controllers associated with the Data Breach.

Learn more about the user’s rights in our article about the rights of the data subject.

National Legislation of States

In addition to all the above, each EU Member State has the possibility to introduce specific criminal sanctions for companies that violate the national rules concerning the implementation of the Regulation.

Specifically, in Greek legislation, for example, Article 39 of the Law on Personal Data stipulates that depending on the act of violation, monetary and/or imprisonment may be imposed.

Article 39 on criminal penalties in Greek
Example from opengov.gr

In the Cypriot legislation, Law 125(I)/2018 has been passed. More specifically, for the legal sanctions in case of Personal Data Breach:

Article 32 on administrative penalties and criminal offences in Greek
Example from the legislation of Cyprus

This comprehensive guide will equip you with the knowledge and tools you need to safeguard personal data, comply with regulations, and keep your business thriving in today’s data-sensitive landscape. Don’t wait for a breach to happen – be prepared and proactive in securing your company’s future!

Author

Eleni-Kostakoglou
Eleni Kostakoglou
Lawyer