(1) In this regulation and in regulations 5B and 5C, "service provider" has the meaning given in regulation 5(1).
(2) If a personal data breach occurs, the service provider shall, without undue delay, notify that breach to the Information Commissioner.
(3) Subject to paragraph (6), if a personal data breach is likely to adversely affect the personal data or privacy of a subscriber or user, the service provider shall also, without undue delay, notify that breach to the subscriber or user concerned.
(4) The notification referred to in paragraph (2) shall contain at least a description of -
(a) the nature of the breach;
(b) the consequences of the breach; and
(c) the measures taken or proposed to be taken by the provider to address the breach.
(5) The notification referred to the paragraph (3) shall contain at least -
(a) a description of the nature of the breach;
(b) information about contact points within the service provider's organisation from which more information may be obtained; a
…