A new European Commission Regulation which deals with personal data security breaches (the “Notification Regulation”) came into force on 25 August 2013. The purpose of the Notification Regulation is to ensure that telecommunications operators, internet service providers and other public electronic communications service providers (the “Providers”) across the EU notify the relevant countries’ national data protection authority (national “DPA”) of personal data security breaches as soon as they are discovered.
When a personal data security breach has been detected, Providers are required to notify the relevant national DPA (and, in some circumstances, also the subscribers or individuals concerned if the breach is likely to jeopardise their personal data or privacy) within 24 hours of the detection of the breach. Providers can be exempt from notifying concerned subscribers or individuals if certain conditions are met. The Notification Regulation also sets out what information needs to be included in a notification.
The UK Information Commissioner’s Office has published a guidance on the new notification procedure, which can be viewed here.