In which cases must a personal data breach be notified to the supervisory authority?
Article 33(1) of the GDPR imposes an obligation to notify the supervisory authority of any violations of personal data (such as accidental loss or destruction), if they are likely to result in a risk to the rights and freedoms of natural persons.
This is assessed on a case-by-case basis according to the categories of data, data subjects, the purposes of processing such data, or the specific activities and regulations applicable to the body responsible for processing them. For example, the unavailability or loss of sensitive data such as health data can have significant consequences for the individuals concerned. Therefore, they are usually notified.
The notification obligation is the responsibility of the data controller concerned, which is defined in Article 4(7) of the GDPR as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data [...]”.
If you are not the controller but you are acting as a processor, i.e. at the direction of your own instructing party, you must, in accordance with Article 33.2 of the GDPR, notify the instructing party of the breach without undue delay so that it can notify the supervisory authority if it is the controller and if considers it necessary, or, failing that, inform the controller so that it can make the notification if applicable.
Furthermore, depending on the type of services provided, a processor may be entrusted to make the notification on behalf of its customers that act as data controllers, if the processor has been entrusted with this task as part of their contractual relations with the processor. Where applicable, the legal responsibility for notification shall always lie with the controller. In any event, such a mandate to notify the appropriate controller is not designated to OVH by its controller customers, in accordance with OVHcloud’s terms of service.
Furthermore, if you are not the only controller, you must inform the co-controller(s).
The supervisory authority must be notified of the breach as soon as possible and, if possible, no later than 72 hours after having become aware of it.