Fines may be imposed for „incorrect“ risk assessment in the event of a data breach.
In the event of a data breach, in addition to notification to the data protection supervisory authority, it may also be necessary to notify the data subjects.
Controllers must notify data subjects if a data breach results in a high risk to their rights and freedoms (Art. 34 GDPR). This notification obligation does not apply under certain conditions, such as precautionary risk shielding, subsequent risk minimisation and disproportionate effort. A clear distinction between „high“ and „medium“ risk is of crucial importance. Controllers should therefore carry out a thorough and well-documented risk assessment in order to avoid sanctions.
A Polish insurance company received a fine of 24,000 euros from the Polish supervisory authority because it categorised the risk as low after a data breach and did not inform either the data subject or the supervisory authority.
Do you have any questions on this and other topics? We are of course at your disposal – by e-mail consulting@adorgasolutions.de or by telephone on +49 173 8198864.