Skip to main content
Version status: In force | Document consolidation status: Updated to reflect all known changes
Version date: 25 May 2018 - onwards
Version 2 of 2

87. Communication of personal data breach to data subject

(1) Subject to subsections (2), (4) and (7), where a personal data breach occurs that is likely to result in a high risk to the rights and freedoms of a data subject, the controller shall, without undue delay, notify the data subject to whom the breach relates.

(2) Subsection (1) shall not apply where -

(a) the controller has implemented appropriate technological and organisational protection measures that were applied to the personal data affected by the personal data breach, in particular where the said measures, including encryption, render the personal data unintelligible to any person who is not authorised to access it, or

(b) the controller has taken measures in response to the personal data breach that ensure that the high risk to the rights and freedoms of a data subject from the breach is no longer likely to materialise.

(3) A notification under subsection (1) shall -

(a) describe, in clear and plain language, the nature of the personal data breach concerned, and

(b) contain at least the information specified in paragraphs (b) to (d) of section 86(4).