Guidelines on breach notifications

The Article 29 Working Party (WP29) is an independent body that advises the European Commission about data protection matters. Established under Article 29 of the Data Protection Directive (95/46/EC), the party is composed of:

  • Representatives of the national supervisory authorities in the Member States;
  • Representative of the European Data Protection Supervisor (EDPS);
  • Representative of the European Commission.

The party issue opinions, guidelines and other documents that, although not legally binding, are regarded as official guidance and an indication of the approach of the European Commission. Under the GDPR, the WP29 will become the European Data Protection Board (EDPB).

The WP29 have just published their Guidelines on Personal data breach notification under Regulation 2016/679. The guidelines set out requirements and provide advice on topics such as how, when and what information to provide to data subjects, assessing risks, accountability and record-keeping. The use of examples and clear language make this an accessible and comprehensive guide.

Data breach notification requirements under the GDPR represent a significant change from the current law, with strict time limits and specific actions. It could be said that this requirement encapsulates the essence of the GDPR by strengthening data subjects’ rights and increasing the accountability of controllers.