Article 34 of the GDPR: Communication to the data subject of a personal data breach

Article 34 of the GDPR provides that those affected must be informed directly and as quickly as possible when a personal data breach is likely to result in a high risk for their rights and freedoms.

Article 34 of the GDPR explained

The data controller must inform the data subjects:

When the violation is likely to result in a high risk (e.g. identity theft, financial loss, invasion of privacy...);
By one clear and understandable communication ;
By specifying the nature of the violation, the possible consequences and the measures taken.

This obligation does not apply if:

Effective protection measures (e.g. encryption) have been put in place;
Subsequent measures removed the high risk;
Communication would require disproportionate effort (in this case, public information may be used).

Why is this article important for your GDPR compliance?

Informing those affected in the event of a serious risk is essential to enable them to protect their rights (eg: change a password, monitor their bank account...). This contributes to an approach of transparency and trust, at the heart of the principles of the GDPR.

How to comply with Article 34 of the GDPR?

Systematically assess the risks to data subjects in the event of a violation;
Plan communication models ready for distribution;
Be responsive and transparent in your communication;
Document decisions made in the breach log.

Examples of application of Article 34 of the GDPR

A bank informs its customers after a hack of sensitive banking data;
A company alerts its employees after the loss of a USB key containing unencrypted pay slips;
A public authority publishes an official note after a breach in its teleservices portal.