Navigacija
SUVP (GDPR) > Uvodna izjava 85
Prenos PDF

Uvodna izjava 85

Recital 85

(85) Kršitev varstva osebnih podatkov lahko, če se ne obravnava ustrezno in pravočasno, zadevnim posameznikom povzroči fizično, premoženjsko ali nepremoženjsko škodo, kot je izguba nadzora nad njihovimi osebnimi podatki ali omejitev njihovih pravic, diskriminacija, kraja ali zloraba identitete, finančna izguba, neodobrena reverzija psevdonimizacije, okrnitev ugleda, izguba zaupnosti osebnih podatkov, zaščitenih s poklicno skrivnostjo, ali katera koli druga znatna gospodarska ali socialna škoda.

V primeru kršitve varstva osebnih podatkov bi moral upravljavec zato o njej uradno obvestiti nadzorni organ brez nepotrebnega odlašanja in po možnosti najpozneje v 72 urah po seznanitvi s kršitvijo, razen če lahko upravljavec v skladu z načelom odgovornosti dokaže, da ni verjetno, da bi kršitev varstva osebnih podatkov ogrožala pravice in svoboščine posameznikov.

Kadar ni mogoče uradno obvestiti v 72 urah, bi bilo treba uradnemu obvestilu priložiti razloge za zamudo, informacije pa se lahko zagotovijo postopoma in brez nadaljnjega nepotrebnega odlašanja.

(85) A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.

Therefore, as soon as the controller becomes aware that a personal data breach has occurred, the controller should notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the controller is able to demonstrate, in accordance with the accountability principle, that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

Where such notification cannot be achieved within 72 hours, the reasons for the delay should accompany the notification and information may be provided in phases without undue further delay.