Where personal data are concerned, the controller must document the breach in question in an internal register.
My dedicated server was unavailable for several days, but does not contain any personal data. Should I report this?
No, the obligation to report a breach applies when a breach of security has occurred that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. If you do not process personal data, there is no obligation to report anything.
My infrastructure is considered “non-recoverable” following the fire, and I had not made a backup. Do I need to notify the supervisory authority?
Notifying the supervisory authority is necessary if:
- personal data is permanently lost (no backup); or
- they remained unavailable for a sufficient period of time, thereby creating a risk for the natural persons concerned.
However, if such loss or unavailability is unlikely to present a risk to the rights and freedoms of the natural persons concerned (e.g. data of little importance such as technical data), then notification is not required.
Where necessary, the notification must be made by the controller without undue delay, and if possible, within 72 hours of becoming aware of the breach.
If you are a processor, i.e. you process the data concerned upon instruction from a third party entity, (e.g. your customer), you must notify them of the incident as soon as possible so that they can make the required notifications, or if they are not the controller, inform them.
Furthermore, if the breach is likely to result in a high risk to individuals, they must also be directly informed. The level of risk is assessed in particular by taking into account the type of data concerned, the population concerned (customers, patients, employees, minors, vulnerable persons) and the potential consequences of the breach for the data subjects (for example, the definitive loss of a patient’s health data may present a high risk).
I am the processor and my infrastructure is considered “non-recoverable” following the fire, but I have backups. Do I need to notify the supervisory authority?
If the implementation of a disaster recovery plan (DRP) or business continuity plan (BCP) ensured continuity of service and the data could be or will be restored from backups, without significant consequences for individuals, then notification is not necessary.
I use OVH Exchange services, and emails that I sent or received during the incident arrived late. Do I need to notify my data protection authority?
With the implementation of the OVH DRP and BCP, data was able to be restored from backups. As a result, the consequences for the data subjects were reduced (temporary inability to access emails). No prior notification is necessary in this case, unless a risk to the data subjects has been identified.
My email services were inaccessible several hours after the incident, but no loss occurred. Should I report this unavailability?
No, only “personal data breaches” must be reported. Temporary unavailability is not defined as a breach, as defined in Article 4(12) of the GDPR.