Fines may be imposed for „in­cor­rect“ risk as­sess­ment in the event of a data breach.

In the event of a data breach, in ad­di­ti­on to no­ti­fi­ca­ti­on to the data pro­tec­tion su­per­vi­so­ry aut­ho­ri­ty, it may also be ne­ces­sa­ry to notify the data subjects.

Con­trol­lers must notify data sub­jects if a data breach results in a high risk to their rights and free­doms (Art. 34 GDPR). This no­ti­fi­ca­ti­on ob­li­ga­ti­on does not apply under certain con­di­ti­ons, such as pre­cau­tio­na­ry risk shiel­ding, sub­se­quent risk mi­ni­mi­sa­ti­on and dis­pro­por­tio­na­te effort. A clear di­stinc­tion between „high“ and „medium“ risk is of crucial im­portance. Con­trol­lers should the­r­e­fo­re carry out a tho­rough and well-do­­cu­­men­­ted risk as­sess­ment in order to avoid sanc­tions.

A Polish insu­rance company re­cei­ved a fine of 24,000 euros from the Polish su­per­vi­so­ry aut­ho­ri­ty because it ca­te­go­ri­sed the risk as low after a data breach and did not inform either the data subject or the su­per­vi­so­ry authority.

Source: https://www.edpb.europa.eu/news/national-news/2024/polish-sa-administrative-fine-eu-24000-failure-notify-personal-data-breach_de

Do you have any ques­ti­ons on this and other topics? We are of course at your dis­po­sal – by e-mail consulting@adorgasolutions.de or by te­le­pho­ne on +49 173 8198864. 

Wie können wir Ihnen weiterhelfen?

Kontaktieren Sie uns: Wir sind gerne für Sie da!