这篇文章是由 辛西娅·奥’Donoghue.

3月底,欧盟’第29条工作组通过了 关于个人数据泄露通知的意见 (意见)。该意见旨在帮助数据控制者确定在以下情况下是否有义务通知数据主体:‘personal data breach’ has occurred.

A ‘personal data breach’ under Directive 2002/58/EC (the Directive) broadly covers the situation where personal data is compromised because of a security breach, and requires communications service providers (CSPs) to notify their competent national authority. Depending on the consequences of the 个人数据泄露, CSPs may also be under a duty to notify the individual data subjects concerned.

The Opinion contains factual scenarios outlining the process that should be used by CSPs to determine whether, following a 个人数据泄露, individuals affected should be notified. Each scenario is assessed using the following three “经典安全标准”:

  • 可用性违规–意外或非法破坏数据
  • 违反诚信–个人资料的变更
  • 违反保密规定–未经授权访问或披露个人数据

该意见包括通知个人的实用指南,包括CSP没有相关个人的详细联系信息或泄露的数据与儿童有关的信息。  The Opinion also stresses the importance of taking measures to prevent 个人数据泄露es.