(1) Subject to subsection (3), where a personal data breach occurs, the controller shall, without undue delay and where feasible within 72 hours of becoming aware of the breach, notify the Commission of the breach.
(2) Where a controller does not notify the Commission under subsection (1) of a personal data breach within 72 hours of becoming aware of the breach, the controller shall include in the notification the reason for not so notifying.
(3) Subsection (1) shall not apply where, taking into account the nature of the personal data and the scope, context and purposes of the processing, the personal data breach is unlikely to result in a risk to the rights and freedoms of data subjects.
(4) A notification under subsection (1) shall include -
(a) a description of the personal data breach, including, where possible the categories and number, or approximate number, of -
(i) data subjects concerned, and
(ii) personal data records concerned,
(b) a description of the likely consequences of
…