Informacijski pooblaščenec Republika Slovenija
    SLO | ENG

Iskalnik po mnenjih GDPR

+ -
Datum: 05.08.2019
Naslov: GDPR Consumer data breach notification data
Številka: 0712-7/2019/7
Vsebina: Obveščanje o kršitvah varnosti, Zavarovanje osebnih podatkov
Pravni akt: Mnenje

The Information Commissioner (Slovenian National Supervisory Body for Personal Data Protection,

hereinafter: Slovenian DPA) received your question regarding GDPR Consumer data breach notification. You are part of the European Company CEAi (Central European Artificial Intelligence), where one of the projects named “Tower Street” is dealing with research on cyber attacks and data breaches in specific. You have already collected a lot of information on American incidents through publicly accessible data, which you are sharing with the academic and research. In addition to those data, you would also like to get and share the data relative to European incidents, which is not yet publicly available. In this regard, you are asking for the data on notifications that companies have reported to our institution, on breaches of consumer data. These are usually lists containing the company's name, the date of the notification and whatever else data the company sends to our institution, which depends on GDPR rules and national specific regulations.

 

The duty to notify the competent supervisory authority of detected personal data breach was introduced by the General Data Protection Regulation (Article 33), which obliges the controllers to notify the personal data breach to the competent supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. The notification must be given without undue delay after such violation has been detected and, where feasible, within 72 hours at the latest.

 

In accordance with the General Data Protection Regulation rules, Slovenian DPA published information on the obligation of the controllers to notify a personal data breach on his website. At the European level, a template of the specific form of the personal data breach notification, which should be implemented by all supervisory authorities, was adopted. A form, which specifies the information that controllers have to provide to the supervisory authority in relation to each incident, is accessible via the official website of the Slovenian DPA.

 

However, the Slovenian DPA does not currently keep a record of personal data breaches reported at the level of individual data from the form, but keeps only aggregated annual statistics, which are further segmented by the:

  1. sector into which the controller belongs (financial, educational, health and telephone operators, other),
  2. the method of reporting (via form, via e-mail, other),
  3. types of personal data breached (personally identifiable information - PII, contact data, financial and economic data, special categories of personal data),
  4. kind of breach (unauthorized access, unauthorized disclosure, intrusion into the IT system, disposal or loss of IT equipment),
  5. type of breach (confidentiality, integrity, availability) and
  6. number of the affected individuals (1-10, 11-100, 101-500, 500+, unrated).

 

 

In 2018, the Slovenian DPA received a total of 68 notifications of personal data breaches, distributed by:

 

Sector:

financial

educational

health

telephone operators

other

13

11

13

2

29

Method of reporting:

via form

via e-mail

other

52

10

6

Types of personal data breached:

personally identifiable information - PII

contact data

financial and economic data

special categories of personal data

55

34

12

12

Kind of breach:

unauthorized access

unauthorized disclosure

intrusion into the IT system

disposal/loss of IT equipment

15

32

12

9

Type of breach:

confidentiality

integrity

availability

63

2

7

Number of the affected individuals:

1-10

11-100

101-500

500+

unrated

25

11

7

14

11

 

Kind regards,

 

Mojca Prelesnik,

Information Commissioner of the Republic of Slovenia