(1) Where a personal data breach is likely to result in a high risk to the rights and freedoms of individuals, the controller must inform the data subject of the breach without undue delay.
(2) The information given to the data subject must include the following -
(a) a description of the nature of the breach;
(b) the name and contact details of the data protection officer or other contact point from whom more information can be obtained;
(c) a description of the likely consequences of the personal data breach;
(d) a description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
(3) The duty under subsection (1) does not apply where -
(a) the controller has implemented appropriate technological and organisational protection measures which were applied to the personal data affected by the breach,
(b) the controller has taken subsequent measures which ensure
…