Data breach notification following OVH data center fire
Following the OVH fire and the data breach in the event of unavailability or destruction of the latter, Data Comply One (formerly Mission RGPD) reminds you of the notification obligations.
A data breach can consist of several elements, data leak, unwanted modification, loss or destruction. This is the case during the fire at the OVH data center. Data controllers have suffered destruction of their data. This breach must therefore be documented in the data breach register in accordance with Article 33 of the GDPR.
Cases where notification is not necessary to the CNIL
The CNIL recalls the cases in which notification to it and the persons concerned is not necessary:
- whether the implementation of a business recovery plan (PRA) or a business continuity plan (BCP) ensured continuity of service
- if the data has been restored from backups, without significant consequences for individuals (minor or temporary blocking of services)
- The consequences for the people concerned do not create a high risk
Cases where notification to the CNIL is necessary after a data breach
However, notification to the CNIL is mandatory in the following cases:
- If the data has been permanently lost and cannot be restored
- If the data remained unavailable long enough, so that it created a risk for people.
Furthermore, if the violation is likely to cause a high risk for the data subjects, they must also be informed by the controller.
In the event of a data breach, the data controller must notify the CNIL within 72h.
If you are a subcontractor and the violation took place on your customers' data, you must also alert your customer and provide them with advice and assistance in notifying them to the CNIL and the people concerned.
If you need advice on handling incidents visit the site cybermalveillance.gouv.fr.
