A personal data breach (data protection incident – Article 33 GDPR) occurs when personal data is intentionally or unintentionally (including negligently) or unauthorizedly
- Destroyed
- Lost,
- Altered,
- Disclosed,
- Made accessible.
It is irrelevant whether the breach was intentional or accidental or caused by HWR itself or one of its order processors.
As the responsible party, HWR is subject to a duty of documentation and notification. The obligation to notify the supervisory authority (Berlin Commissioner for Data Protection and Freedom of Information) is triggered if there is likely to be a high risk to the rights and freedoms of the data subjects. In the risk assessment, the relationship between the severity, probability of occurrence and scope (number and group of persons) of the threatened damaging event must be evaluated. More details can be found in Article 33 of the GDPR.
Typical risks are
- Discrimination and damage to the reputation of individuals
- Identity theft or fraud
- Financial losses
- Unauthorized removal of pseudonymization.
If there is a reportable data breach, the university must send the notification to the supervisory authority within 72 hours of becoming aware of the data breach incident. If applicable, the persons affected by the data protection breach must be notified. In order for HWR to fulfill its reporting obligation in a timely manner, it is important that all employees report incidents as soon as they become aware of them. If a report is not made or is received with an unjustified delay, the supervisory authority may issue supervisory measures against HWR.
The Data Protection Officer is available to advise on the assessment and preparation of reports.
Examples of reportable data protection incidents:
- Entering access data on a phishing site.
- Execution of an infected file after clicking on a link on a malware site
- Attacks on central IT systems (campus management systems, mail systems, survey systems or research databases) in which attackers may have gained knowledge of personal data
- system modifications or spying out of access IDs (passwords) by mass distribution of viruses, malware and spam mails
- the unintentional misconfiguration of a system so that personal data is unintentionally made public
- the accidental sending of personal data, to an e-mail distribution list not responsible for this data
- the loss of a mobile device (notebook, smartphone) or data carrier (USB stick) containing personal data
- but also the unauthorized publication of paper-based documents such as notices of exam results by name.
Paper Data Protection Conference “Risk to the rights and freedoms of natural persons”.