In which cases should the data subjects be informed?
In accordance with Article 34(1) of the GDPR, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
The level of risk is assessed in particular by taking into account the type of data concerned, the population concerned and the potential consequences of the breach for individuals (for example, the definitive loss of a patient’s health data may present such a risk).
Examples can be found in the European Data Protection Committee Guidelines 01/2021, as well as in the Article 29 Working Party guidelines, endorsed by the European Data Protection Committee, on reporting data breaches.
If you are a processor, this obligation does not apply, but you must notify the controller concerned.