Article 29*

Article 29 – Communication of a personal data breach to the data subject

1. Member States shall provide that when the personal data breach is likely to adversely affect the protection of the personal data or privacy of the data subject, the controller shall, after the notification referred to in Article 28, communicate the personal data breach to the data subject without undue delay.

2. The communication to the data subject referred to in paragraph 1 shall describe the nature of the personal data breach and contain at least the information and the recommendations provided for in points (b) and (c) of Article 28(3).

3. The communication of a personal data breach to the data subject shall not be required if the controller demonstrates to the satisfaction of the supervisory authority that it has implemented appropriate technological protection measures, and that those measures were applied to the personal data concerned by the personal data breach. Such technological protection measures shall render the data unintelligible to any person who is not authorised to access it.

4. The communication to the data subject may be delayed, restricted or omitted on the grounds referred to in Article 11(4).

Article 29 – Communication of a personal data breach to the data subject

1. Member States shall provide that when the personal data breach is likely to adversely affect the protection of the personal data or privacy of the data subject, the controller shall, after the notification referred to in Article 28, communicate the personal data breach to the data subject without undue delay.

2. The communication to the data subject referred to in paragraph 1 shall describe the nature of the personal data breach and contain at least the information and the recommendations provided for in points (a) to (e) (b) and (c) of Article 28(3).

3. The communication of a personal data breach to the data subject shall not be required if the controller demonstrates to the satisfaction of the supervisory authority that it has implemented appropriate technological protection measures, and that those measures were applied to the personal data concerned by the personal data breach. Such technological protection measures shall render the data unintelligible to any person who is not authorised to access it.

4. The communication to the data subject may be delayed, or restricted or omitted on the grounds referred to in Article 11(4).

Justification

Providing additional information on the breach can help to empower data subject to take precautions to minimise adverse consequences of the breach. The change in paragraph mirrors the proposed changes in Article 11.

  • eu logo The launch and upkeep (until December 31, 2013) of this website received financial support from the EU's Fundamental Rights and Citizenship Programme.
Follow

Get every new post delivered to your Inbox.

%d bloggers like this: