D: Changes and amendments of the BDSG 2009: Obligations in the event of unauthorized access to personal data
Category: Nachrichten, GesetzBy: M. Belke - 2B Advice GmbH - the privacy benchmark
Amendments to the Federal Data Protection Act and the effect thereof on companies - Part 10
If a responsible party finds out from the data protection officer or from supervisory authorities or law enforcement agencies, for example, that it has unauthorized access to sensitive personal data, this party must in future take immediate action - that is, without intentional delay - and notify both the supervisory body and the affected party. In terms of priority, the notification measures must be carried out before the data protection measures.
In this context, sensitive data is not only the information listed in Section 3, (9) but also information subject to professional secrecy, data relating to punishable offenses, misdemeanors or suspicion thereof, as well as bank account or credit card information.
The obligation to inform also encompasses details of the way in which knowledge was obtained and on possible consequences of the knowledge for the affected party. Notification can, for example, result in considerable expense if, for instance, the address details for the notification is not available. This does not, however, release the responsible party from its obligation to inform. On the contrary: in this case, it must publicly provide information in at least two daily newspapers distributed nationwide, with a notice covering at least half a page. Alternatively, an equally suitable measure in terms of effectiveness as regards informing the affected party may be selected. Thus, it may be the case that an event triggering disclosure requirement is of regional importance only. In this case, a notice in regional newspapers would be sufficient to fulfill the obligation to inform.
A breach of the obligation to notify constitutes an administrative offense and is subject to a fine of up to Euro 300,000 or, where the breach results in additional profits, seizure of that profit.
(1518 times viewed)