On June 15, 2021, the Spanish Data Protection Authority (‘AEPD’) launched a new system for personal data breach notification which simplifies the notification of personal data breaches by guiding those responsible through specific questions, so that those responsible know the points they must address in it.
The new form also facilitates the gradual notification of personal data breaches, establishing two types of notifications : new or modification of a previous notification, the latter for those cases in which not all the relevant information is available in the 72-hour period established by the General Data Protection Regulation. Regarding the realization of a new notification, the system facilitates that those responsible for the treatments can carry it out with the relevant information without having to provide additional documentation at that time since, where appropriate, the Agency may require the information that is accurate.
Notifying the control authority of a breach that affects personal data is part of the proactive responsibility established in the GDPR, and the fact of notifying it does not necessarily imply the opening of an administrative procedure. In fact, notifying in a timely manner is evidence of the organization’s diligence, while not complying with this obligation is classified as an infraction.
This new form to notify the Agency of a personal data breach is added to the ‘ Communicate-RGPD Gap ‘ tool , which offers help to organizations to decide whether or not to communicate a data breach to the affected persons.