Article 48
Personal Data Security Incidents
The controller shall report to the national authority and to the holder the occurrence of a safety incident that may lead to significant risk or damage to the holders.
- 1. The communication shall be made within a reasonable period of time, as defined by the national authority, and shall mention, as a minimum:
- I - description of the nature of the affected personal data;
- II - information about the holders involved;
- III - indication of the technical and security measures used for data protection, observing the trade and industrial secrets;
- IV - the risks related to the incident;
- V - the reasons for the delay, in case the communication was not immediate; and
- VI - the measures that have been or will be taken to reverse or mitigate the effects of the impairment.
- 2. The national authority shall verify the seriousness of the incident and may, if necessary to safeguard the rights of the holders, order the controller to adopt measures such as:
- I - wide dissemination of the fact in the media; and
- II - measures to reverse or mitigate the effects of the incident.
- 3. In the judgment of the severity of the incident, any evidence that adequate technical measures have been taken to render the affected personal data unintelligible within the scope and within the technical limits of its services to third parties not authorized to access them shall be assessed.