< Back

Share |

Handling security breaches from a German law perspective

September 2013

The ever increasing number of data security breaches coupled with the understandable reluctance of organisations to inform authorities and affected individuals of breaches, caused the German legislator to implement a legal data security breach reporting obligation in 2009.  At the same time, regulators were given powers to fine organisations for failure to notify or for improper notification. These measures have made it easier for both regulators and data subjects affected by security breaches to minimise damage caused by security breaches. Perhaps more importantly, many organisations have enhanced their data security as a result.

Reporting obligations and prerequisites

There is no general requirement to report data breaches under German law. The legal obligation is attached to specific types of personal data and differs depending on the applicable law. In particular, there are three different regulations under German law which relate to breach reporting obligations.  This means whether a notification has to be made will depend on the type of personal data affected and the nature of the data controller.

FilesEssentially, only breaches involving personal data considered as sensitive have to be notified.  This includes information concerning racial or ethnic origin, political opinions, religious beliefs, health, criminal or administrative offences, bank accounts or credit cards as well as inventory and usage data of telecommunications or internet providers, such as name, address, phone number, password and information on time and scope of the services used.

In addition, to require notification, the data must have been disclosed to third parties without any justification (i.e. without the consent of the data subject or where covered by another legal justification) resulting in a serious threat of damage (in most cases) or harm to the individuals affected.  Typical examples of this are publication on the internet, personal data sent to the wrong address, and loss or theft of data.  The question whether a disclosure of personal data poses a serious threat of damages can be difficult to answer in practice and must be decided on a case by case basis.  The data controller should consider what sorts of risks the data breach creates and how probable it is that this risk will actually materialise. The greater the danger, the less consideration needs to be given to likelihood of damage. An obligation to report can, for example, be assumed when credit card information has been leaked because such data will most likely cause the card holder financial loss.

Content, timing and form of notification

Content and timing requirements for notification also vary depending on the applicable law and on the party being notified (i.e. regulatory authority or affected individual). In general, authorities need to be informed immediately after the data breach has been detected, meaning that the data controller either knows or strongly suspects a breach has occurred. The time period between gaining some type of knowledge of breach and notification must not exceed two weeks. On the other hand, the notification of individuals affected can, in general, be delayed if notification would prejudice criminal proceedings or appropriate measures to safeguard the personal data have been taken.

With regard to the content of the notification, authorities basically need to be given as much detail as possible, whereas the notification of individuals affected is limited to the essentials. In a nutshell, affected individuals must be provided with the necessary information to be able to minimize potential consequential damages. This means a notification is likely to include information about what kind of data is affected and how the data breach occurred. The data controller is also supposed to provide recommendations on how to minimise potential harm. The reporting obligations to regulatory authorities are more extensive as the information given must enable authorities to investigate the data breach and, where applicable, take appropriate action. In addition to the information given to data subjects affected, the notification to the regulator needs to contain (among other things) the time the data leak occurred, a description of potential adverse consequences for the individuals affected, the probability of their occurrence, adverse consequences for the data security of the data controller, safeguarding measures taken subsequent to the data breach and whether and how affected individuals were notified.

EmailWith regard to the form of the notification, German law does not stipulate any specific requirements, however, for reasons of proof, notifications should be conducted at best in writing or at least via e-mail. Individuals affected usually need to be informed individually. However, in cases where an individual notification would require a disproportionate effort of time and money, in particular where the data breach concerns a large number of affected individuals, the notification can be replaced by public advertisements of at least half a page in two German daily newspapers.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

Philipp Koehler

Philipp Koehler      

Phillip looks at dealing with security breaches from a German law perspective and, in particular, at breach reporting obligations.

"Whether a notification has to be made will depend on the type of personal data affected and the nature of the data controller."