What is a personal data breach?

Article 4(12) of the GDPR defines “personal data breach” as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

Therefore, if infrastructures in the Strasbourg datacentre on which you hosted personal data were affected by the fire and are not recoverable, and you do not otherwise hold such data (on another backup environment or another), the destruction or loss of this data constitutes a loss of availability or integrity of the data and falls under the remit of a personal data breach.

Please note that if you have experienced a temporary unavailability of services without any loss of personal data, where either the services could be restored (e.g. OVHcloud email services) or you could restart your services on other infrastructures and restore your data’s accessibility, without this significantly impacting the data subjects, this is a data breach under the GDPR that must be logged in a register maintained by the controller, but it does not necessarily and in principle constitute a data breach likely to be notified to the CNIL, or the competent data protection authority. Such notification shall be subject to specific assessment criteria as described in point 3 below.