Breach of confidentiality in the crosshairs of data protection

If the suspicion arises that a (former) employee has stolen customer data, the attention is understandably great. The anger is all the greater when the suspicion is not only substantiated, but even confirmed. Usually, the focus is on prosecuting the perpetrator, whether under civil or criminal law. What is all too often overlooked in the heat of the moment is the fact that a breach of confidentiality can also constitute a data protection violation. 

If the perpetrator steals, for example, customer or supplier lists, names, contact data, customer history or even customer profiles are regularly affected in addition to prices etc. This information constitutes personal data. In cases of a personal data breach, the controller has an obligation according to Article 33 GDPR to report this data breach to the supervisory authority. A personal data breach already occurs if "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;" (Article 4 No. 12 GDPR). This is regularly the case if the perpetrator has stolen said customer or supplier lists. 

The notification of the supervisory authority is also time-critical, as it must be made without undue delay, if possible within 72 hours. Failure to notify, but also late notification, is subject to a fine. The notification obligation should therefore be taken seriously. However, the obligation to notify is probably not triggered by mere suspicion. This is supported by the wording of Article 33 GDPR, according to which notification must be made "in the case of a personal data breach". Nevertheless, in practice, suspicious notifications are often made as a precautionary measure, which can have a positive effect, for example, in the assessment of fines. According to recital 148 of the GDPR, it is important how a supervisory authority became aware of a breach, i.e. from the controller itself or a third party. 

An exception to this notification requirement only exists if the data breach is unlikely to result in any risk to the rights and freedoms of natural persons. If the occurrence of harm to the natural persons does not seem possible, no notification is required. As examples of possible harm, recital 85 of the GDPR mentions, among other things, loss of control over their personal data or limitation of their rights. If the data is used without the knowledge of the natural persons, this already constitutes a restriction of the natural persons' rights. The natural persons also no longer have control over their data if it falls into the hands of a third-party unknown to them. Whether there is a risk to the rights and freedoms of natural persons should therefore be carefully weighed. This prognosis decision must be made by the controller, who also bears the risk of a wrong assessment. The next step is to assess how likely this risk is. Assuming that the perpetrator stole the data in order to use it as well, the probability of the risk materializing will usually not be easily negligible. If the controller concludes that there is probably no risk - e.g. because the data was effectively encrypted - it should definitely document the risk assessment carried out. 

If the controller concludes that the data protection breach must be reported to the supervisory authority, Article 34 GDPR should also be kept in mind. There is a threat of further trouble here. If the data controller concludes in the course of its assessment that the data breach is likely to result in a high risk to the personal rights and freedoms of natural persons, it must also notify the natural persons of the data breach without undue delay. The prospect of informing one's customer that their data has been lost will certainly not cause many people to rejoice. 

Whether a high risk exists can only be determined on a case-by-case basis and depends not only on the probability of damage occurring but also on the severity of possible damage. Within the framework of this risk-based approach, the type of data stolen is of decisive importance. Address data is certainly less critical than passwords, bank data or health data. Once again, the result of the risk prognosis must be documented, especially if a high risk is denied. 

At the end of the day, although the infringed party is not the perpetrator but the victim, it must also comply with the notification obligations under data protection law in the event of any data theft. While the obligation to notify the supervisory authority under Article 33 GDPR already exists for every data breach and is only dispensed as an exception if there is likely to be no risk to the rights and freedoms of the natural persons, the notification obligation of Article 34 GDPR is only triggered if there is likely to be a high risk to the personal rights and freedoms of natural persons.