(1) Subject to subsections (2), (4) and (7), where a personal data breach occurs that is likely to result in a high risk to the rights and freedoms of a data subject, the controller shall, without undue delay, notify the data subject to whom the breach relates.
(2) Subsection (1) shall not apply where -
(a) the controller has implemented appropriate technological and organisational protection measures that were applied to the personal data affected by the personal data breach, in particular where the said measures, including encryption, render the personal data unintelligible to any person who is not authorised to access it, or
(b) the controller has taken measures in response to the personal data breach that ensure that the high risk to the rights and freedoms of a data subject from the breach is no longer likely to materialise.
(3) A notification under subsection (1) shall -
(a) describe, in clear and plain language, the nature of the personal data breach concerned, and
(b) contain a
…