Assessment of risk to data subjects

The EDPB determined that in this example, the risk of infringement of the rights and freedoms of data subjects was high. Thus the data controller (the employer of the person whose device was stolen) must notify the infringement to the supervisory authority, inform the data subjects affected by the breach, and internally document the occurrence of the breach and the remedial measures taken. In assessing the risk, the EDPB stated: “No prior safety measures were taken by the data controller, hence the personal data stored on the stolen notebook was easily accessible for the thief or any other person coming into possession of the device thereafter. … The notebook containing the personal data was vulnerable in this case because it did not possess any password protection or encryption. The lack of basic security measures enhances the risk level for the affected data subjects. Furthermore, the identification of the concerned data subjects is also problematic, which also increases the severity of the breach. The considerable number of concerned individuals increases the risk, nevertheless, no special categories of personal data were concerned in the data breach. … As a result of the breach the concerned data subjects may suffer identity fraud relying on the data available on the stolen device, so risk is considered to be high” (Guidelines p. 25).

Polish perspective on the example

If this breach involved a Polish employer, the conclusion by the EDPB would also be correct, i.e. the employer would be required to notify the Polish data authority (PUODO), inform the data subjects affected, and internally document the occurrence of the breach and the remedial actions taken.

Although this was not addressed in the Guidelines, it should also be considered whether due to the large number of people affected by the breach and the potential difficulty in identifying them, this example presents a situation referred to in Art. 34(3)(c) GDPR, under which communication to the data subjects affected by a breach is not required if “it would involve disproportionate effort.” Then, instead of notifying each individual, the controller could issue “a public communication or similar measure whereby the data subjects are informed in an equally effective manner.” However, the controller would have to justify and document this circumstance (for example in the event of an inspection), and this approach would not apply to the extent that the controller was in a position to identify the persons affected by the breach and had contact information to reach them.

In this example, the scope of the notification obligation could be narrower, e.g. limited to notifying PUODO, if the data on the device were encrypted, or the data on the device were protected by a strong password.

Remedial measures

In the EDPB’s view, following such a breach the following measures would at least minimise the risk of a similar breach in the future (Guidelines p. 25):

• Turning on device encryption
• Use of strong password protection.

Additionally, although not mentioned by the EDPB in the Guidelines, it would be reasonable to consider in this situation whether the company’s databases should be stored directly on individual devices, or only within the company’s own network or system, which employees could access only after proper authentication (e.g. two-factor authentication). This solution, which could include both technical limitations on saving data to such devices, as well as implementing appropriate procedures prohibiting or limiting employees’ ability to store data in this manner, would seem to more fully execute the requirements under Art. 32 GDPR and the principles of privacy by default and privacy by design. In that situation, even if the device were lost, the scope of the breach (and also its negative consequences) could be significantly reduced.

Karolina Romanowska, Łukasz Rutkowski