The obligation to notify the AEPD of security violations within 72 hours persists during the state of alert
The Spanish Data Protection Agency (AEPD) has stated through a publication in its blog that the suspension of the administrative deadlines established in Royal Decree Law 463/2020 does not affect the obligation to notify security breaches within 72 hours.
Following the publication in the Official State Gazette of Royal Decree Law 463/2020 of 14 March, which declared the state of alert for the management of the critical situation caused by the expansion of COVID-19, consultations with the Spanish Data Protection Agency (AEPD) multiplied regarding the persistence of the obligation to notify security breaches under the terms of article 33 of the General Data Protection Regulation (RGPD), as the third additional provision of the Royal Decree Law provides for the suspension of administrative periods.
In view of this situation, the AEPD published a press release on its blog in which it clarified that in no case did the suspension of the administrative periods, provided for in the aforementioned third additional provision, exempt those responsible and in charge of processing from the obligation to notify the corresponding responsible authority and, where appropriate, the interested parties affected, of the occurrence of a security breach in the field of data protection in accordance with the provisions of Article 33 of the RGPD.
Thus, in the event of a security breach affecting personal data processed by a responsible person or person in charge during the state of alert, the latter must proceed in the manner initially foreseen, that is, notifying the AEPD telematically through its electronic headquarters within a maximum period of 72 hours from the time when the breach was recorded and informing the data subjects concerned, without undue delay, when it is likely that the security breach may involve a high risk to their rights and freedoms.
The notification made should include a description of the nature of the security breach, the name and contact details of the data protection officer or a contact point of the entity, the possible consequences arising from the incident and the security measures to be implemented to mitigate the effects of the breach.
If not all the required information is available within 72 hours, an initial communication should be made within the period marked with the available information and extended by additional notifications as the period increases. Furthermore, if the person responsible for making the notification within the 72-hour period has not been able to do so, he must give the reasons why he was unable to do so.
From AddVANTE’s Commercial Department we remain at your disposal for further information or to resolve any doubts that may arise in relation to this article.