In which cases it is not necessary to notify the supervisory authority?
The supervisory authority does not need to be notified in the following cases:
The data breaches do not pose risks to people’s rights and freedoms. This is the case when your services and personal data have only been temporarily unavailable without loss or destruction of data; either the services have been restored or you have been able to restart your services on other infrastructures and restore access to your data by restoring them from backups.
Personal data has been lost or destroyed, but this is not likely to pose a risk to the rights and freedoms of the natural persons concerned. This is the case when personal data lost or destroyed is of little importance to the data subject (for example, technical data such as certain service usage logs).
You use OVH services for personal purposes. The GDPR does not apply to personal data processed by a natural person in the context of a strictly personal or domestic activity. Therefore, any loss or destruction of personal data occurring in this context should not result in notification.
You are not the data controller. This is the case when you are processing data as a processor upon instruction from a third party, for example, your own customers. In this case, the data breach must be notified by the controller, not by you. To this end, you have an obligation as a processor to inform your customer so that they can alert or notify the controller.
However, as a data controller, you must document the data breach in an internal register, regardless of the level of risk to the data subject.