Data Breach Notification
FIELDS MARKED WITH * ARE MANDATORY
1. Type of notification:
*
Choose notification type:
Complete notification (all the required information is included in the notification)
Preliminary notification (preliminary information is provided. The notification will be complemented at a later stage)
2. IDPC file reference number of PRELIMINARY notification:
(Applicable in case a preliminary notification has already been submitted)(PLEASE USE THE EXACT FORMAT THAT WAS GIVEN IN THE ACKNOWLEDGEMENT EMAIL)
3. Date of previous PRELIMINARY notification:
(Applicable in case a preliminary notification has already been submitted)
4. Brief description of previous PRELIMINARY notified breach:
(Applicable in case a preliminary notification has already been submitted)
Preview full form template
About you
Contact details
UNLESS PROVIDED IN A PRELIMINARY NOTIFICATION
5. Organisation officially registered number:
*
6. Name of organisation:
*
7. Orginisation registered address and any relevant contact details of the organisation:
*
8. Address of the establishment concerned with the breach:
*
9. Identity and contact details of the data protection officer or other contact point where more information can be obtained.
Name:
*
Surname:
*
Email address:
*
(Please make sure the email address is correct)
Confirm email address:
*
(Please make sure the email address is correct)
Phone number:
*
Address of the location from which he/she carries out his/her activities:
*
10. Reporting person contact details:
Email address:
Phone number:
Address:
11. Sector of activity of orginisation:
*
Choose sector:
Agriculture, forestry and fishing
Mining and quarrying
Manufacturing
Electricity, gas, steam and air conditioning supply
Water supply; sewerage, waste management and remediation activities
Construction
Wholesale and retail trade; repair of motor vehicles and motorcycles
Transportation and storage
Accommodation and food service activities
Information and Communication
Financial and insurance activities
Real estate activities
Professional, scientific and technical activities
Administrative and support service activities
Public administration and defence; compulsory social security
Education
Human health and social work activities
Arts, entertainment and recreation
Other service activities
Activities of households as employers; undifferentiated goods- and services-producing activities of households for own use
Activities of extraterritorial organisations and bodies
Blockchain
Involvement of other entities outside the data controller for the service concerned by the data breach
12. Involvement of others outside the data controller for the service concerned by the data breach?
*
(Joint controllers, processors, other autonomous data controllers).
Yes
No
13. Contact details and role of the other entities involved
Contact person:
*
Email address:
*
Phone number:
*
Address:
*
Timeline
14. Date of breach:
*
15. Date of awareness of breach:
*
16. Means of detection of breach:
*
(Describe how you became aware of the breach).
17. Date of notification by processor:
(If applicable)
18. Reasons for late notification of breach:
(If breach is not notified within 72 hours)
19. Other comments on the timeline:
(If required)
About the breach (TICK AS APPROPRIATE)
Confidentiality (where there is an unauthorised or accidental disclosure of, or access to, personal data)
Integrity (where there is an unauthorised or accidental alteration of personal data)
Availability (where there is an accidental or unauthorised loss of access to, or destruction of, personal data and data are not made available).
Nature of incident (TICK AS APPROPRIATE)
Paper lost or stolen of left in an insecure location
Device lost or stolen or left in an insecure location
Mail lost or opened
Hacking
Malware (e.g. ransomware)
Phising
Incorrect disposal of data
E-waste (personal data is still present on obsolete device)
Unintended publication
Data of wrong subject shown
Personal data sent to wrong recipient
Verbal unauthorised disclosure of personal data
Other
22. Summary of the incident that caused the personal data breach including the storage media involved:
*
Cause of breach
Internal non-malicious
Internal malicious
External non-malicious
External malicious
Unknown
Other
24. Description of other cause of the breach:
(If applicable)
Type of breached data (TICK AS APPROPRIATE)
Regular data
Data subject identity
National identification number
Contact details
Identification data
Economic and financial data
Official documents
Criminal convictions, offence or security measures
Other
26. Description of other:
(If required)
Special categories of data
Data revealing racial or ethnic origin
Political opinions
Religious or philosophical beliefs
Trade union membership
Sex life data
Health data
Genetic data
Biometric data
About the data subjects (TICK AS APPROPRIATE)
Employees/staff
Current customers/subscribers
Students
Patients
Minor/s
Vulnerable individuals
Former customers and/or subcribers
Others
29. Description of other:
(If required)
30. Approximate number of data subjects concerned by the breach:
*
About the measures in place BEFORE the breach
31. Did the organisation have technical and organisational measures to prevent an incident of this nature from occuring?
*
Yes
No
If yes, please indicate the measures
33. Please provide extracts of any policies and procedures considered relevant to this indicent, and explain which of these related to such measures were implemented at the time this incident occured.
Please provide the dates on which they were implemented and any other proof of implementation.
*
34. As the data controller, does the organisation provide it's staff with training on the requirements of the GDPR and of the Data Protection Act?
If so, please provide any extracts relevant to the security incident here.
*
35. Please confirm if the training is mandatory for all staff. Had the staff members involved in this incident received training and if so when?
*
36. As the data controller, does the organisation provide any detailed guidance to staff on the handling of personal data in the processing operations that led to the incident you are reporting?
If so, please provide any extracts relevant to this incident here.
*
Consequences (TICK AS APPROPRIATE)
Breach of confidentiality
The data involved in the breach was accessed by recipients other than authorised
If the data was accessed by a third party, was there the consent of the data subject?
Yes
No
Data may be linked with other information of the data subjects?
Yes
No
The personal data may be further processed for other purposes different from the original ones.
Yes
No
41. Other confidentiality consequence/s
(If applicable)
Breach of integrity
Data may have been modified and used even though it is no longer valid.
Yes
No
Data may have been modified into otherwise valid data and subsequently used for other purposes.
Yes
No
41. Other integrity consequence/s
(If applicable)
Breach of availability
Loss of the ability to provide critical services for the affected data subjects
Yes
No
Alteration of the ability to provide a critical service to the affected data subjects
Yes
No
42. Other availability consequence/s
(If applicable)
Physical, material or non-material damage or significant consequences to the data subjects
43. Nature of the potential impact for the data subject:
*
Choose nature of the potential impact :
Loss of control over their personal data
Limitation of their rights
Discrimination
Identity theft
Financial loss
Unauthorised reversal of pseudonymisation
Loss of confidentiality of personal data protected by professional secrecy
Damage to reputation
Fraud
Other
Please describe other:
(If applicable)
44. Description of the other impacts for the data subject:
*
45. Severity of the potential impacts:
*
Choose severity:
Negligible
Low
Medium
High
Taking Action
Communication to data subjects
46. Information to data subjects:
Choose option:
Yes
No, but they will be informed
No they will not be informed
Not defined at this time
47. Date of when information was given to data subjects if they already have been informed
48. Date of future information of the data subjects if they have not been informed yet
49. Reason for not informing data subject:
Choose option:
Technical and organisational measures were in place, in particular those that render the personal data unintelligible to any person who is not authorised to access it
It would involve disproportionate effort to inform each data subject individually
No specific requirement arises
50. Means of communication used to inform data subject
51. Content of the information delivered to the data subjects.
Attach sample copy of the communication delivered to the Data Subject
(If applicable)
(PDF format ONLY)
Max size: 6MB
52. Public communication or similar measure
Description of measures allowing to skip information of data subjects
53. The controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it.
Yes
No
The controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise
It would involve disproportionate effort to inform each data subject individually.
Measures taken to address the breach
54. Measures taken by the controller to address the breach
*
Yes
No
Cross border and other notifications
55. Is this notification a cross border notification?
*
Yes
No
56. Is this Office the Organisation's lead authority?
*
Yes
No
57. List of other Member States concerned by the breach
*
58. Has the breach been, or will it be notified, directly to other concerned Member States Supervisory Authority ? If YES list the Member States Supervisory Authority to which the breach has been or will be notified.
*
Yes
No
59. Has the breach been, or will it be notified, to Data Protection Authorites in third countries? If YES list of the other third country data protection authorities to which the breach has been or will be notified.
*
Yes
No
60. Has the breach been, or will it be notified, to other Member States regulators (not related to Data Protection) because of other legal obligations (NIS directive eIDAS regulation)? If YES list of other Member State regulators to which the breach has been or will be notified.
*
Yes
No
Attach any other relevant documents
(If applicable)
(PDF format ONLY)
Max size: 6MB
Previous
Next
Report breach
Please wait while we process your request...
Do not close or refresh the browser window.