Nascleanúint
RGCS (GDPR) > Aithris 85
Íoslódáil PDF

Aithris 85

Recital 85

(85) Mura dtéitear i ngleic le sárú i ndáil le sonraí pearsanta ar bhealach iomchuí tráthúil, d’fhéadfadh gurb é an toradh a bheadh air damáiste fisiciúil, ábhartha nó neamhabhartha do dhaoine nádúrtha amhail smacht ar a gcuid sonraí pearsanta a chailleadh, nó teorannú ar a gcearta, idirdhealú, goid aitheantais nó calaois aitheantais, caillteanas airgeadais, aisiompú neamhúdaraithe chur i bhfeidhm ainm bréige, damáiste don chlú, caillteanas rúndacht na sonraí pearsanta sin atá faoi chosaint de réir rúndacht ghairmiúil, nó aon mhíbhuntáiste eacnamaíoch nó sóisialta eile don duine nádúrtha lena mbaineann.

Dá bhrí sin, a luaithe a bheidh an rialaitheoir ar an eolas faoi shárú a bheith déanta i ndáil le sonraí pearsanta, ba cheart don rialaitheoir fógra faoin sárú i ndáil le sonraí pearsanta a thabhairt don údarás maoirseachta, gan aon mhoill mhíchuí agus, i gcás inar féidir, tráth nach déanaí ná 72 uair an chloig tar éis dó nó di eolas a fháil ina leith, maidir leis an sárú i ndáil le sonraí pearsanta, ach amháin i gcás ina mbeidh an rialaitheoir in ann a thaispeáint, i gcomhréir le prionsabal na cuntasachta, nach dócha go mbeidh riosca ag gabháil leis an sárú i ndáil le sonraí pearsanta do chearta agus do shaoirsí daoine nádúrtha.

I gcás nach féidir fógra den sórt sin a dhéanamh laistigh de 72 uair an chloig, ba cheart na cúiseanna leis an moill sin a chur leis an bhfógra, agus féadfar faisnéis a chur ar fáil i gcéimeanna gan tuilleadh moille míchuí.

(85) A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.

Therefore, as soon as the controller becomes aware that a personal data breach has occurred, the controller should notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the controller is able to demonstrate, in accordance with the accountability principle, that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

Where such notification cannot be achieved within 72 hours, the reasons for the delay should accompany the notification and information may be provided in phases without undue further delay.