Art. 34 critical Severity GDPR European Union

GDPR Article 34 — Communication of a personal data breach to the data subject

Enforced by: ICO (UK) / National DPAs
Current as of May 25, 2018
Plain Language Summary
If breach poses HIGH RISK to individuals, you must notify affected people directly. Encryption is a safe harbor — if data is encrypted and key is safe, individual notification may not be required.

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

The communication shall describe in clear and plain language the nature of the personal data breach and contain: the contact details of the data protection officer; a description of the likely consequences of the breach; a description of the measures taken to address the breach.

Related Enforcement Cases

British Airways — GDPR Data Breach Fine (£20M) £20M
Marriott International — GDPR Fine (£18.4M) £18.4M