1. The provider shall notify all personal data breaches to the Information Commissioner.

2. The provider shall notify the personal data breach to the Information Commissioner no later than 24 hours after the detection of the personal data breach, where feasible.

The provider shall include in its notification to the Information Commissioner the information set out in Annex I.

Detection of a personal data breach shall be deemed to have taken place when the provider has acquired sufficient awareness that a security incident has occurred that led to personal data being compromised, in order to make a meaningful notification as required under this Regulation.

3. Where all the information set out in Annex I is not available and further investigation of the personal data breach is required, the provider shall be permitted to make an initial notification to the Information Commissioner no later than 24 hours after the detection of the personal data breach. This initial notification to the Information Commissioner shall include the information set out in Section 1 of Annex I. The provider shall make a second notification to the Information Commissioner as soon as possible, and at the latest within three days following the initial notification. This second notification shall include the information set out in Section 2 of Annex I and, where necessary, update the information already provided.