EUROPEAN UNION PRIVACY LAWS

Mandated Timeframe for Breach Reporting and/or Consumer Notification

Within 72 Hours
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Third Party: Specific Obligations
  • Third Party: Mandated Contracts
  • Employee Training
  • Mandated Rights of the Individual
  • Require Vendors to Protect Personal Information
  • Verification of Vendor Protection/Security Program
  • Vendor Notification to Organisation of Breach/Suspected Breach
Fines & Penalties

Violations of Breach Notification Laws:

- Up to 4% of annual global turnover or €20 M

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Third Party Management
  • Vendor Contract Required
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • The General Data Protection Regulation (GDPR) is a comprehensive regulation designed to address most aspects of personal data processing within the European Union. This regulation imposes obligations onto any organisation who targets or collected data related to people in the European Union.
  • Member States are encouraged to establish their own country-specific codes of conduct. If your business is located and/or handles personal data from individuals in one or more Member States, you may have additional requirements with which you must comply.
  • Both Controllers and Processors (unless exempt) must maintain an extensive log of all data processing activities.
  • Controllers must contract with Processors who process personal data on behalf of the Controller. The contract must be in writing, including in electronic form.
  • Controller’s expectations for Processor should be communicated clearly and be included in the contract with the Processor.
  • Controllers at the time when personal data are obtained must inform the data subject of the existence of the processing operation and its purposes including how the consumer can exercise their rights.
  • Controllers must only contract with Processors who have in place appropriate protections and security of personal data, equal to the level of protections and security required for Controllers.
  • Processors must only process personal data at the specific direction of Controllers.
  • Processors must ensure their employees who have access to and process personal data are aware of and abide by the contractual requirements of Controllers for the processing of personal data.
  • Processors must assess the risks associated with the processing of personal data, to ensure proper safeguards are in place to prevent unauthorised destruction, loss, alteration, disclosure or access of the personal data.
  • Processors must assist Controllers with any obligations for completing data protection impact assessments and comply with any guidance given by a supervisory authority following consultation.
  • Processors must notify the respective Controller without delay after becoming aware of any personal data breach involving the data being processed for the Controller.
  • Processors must assist Controllers when necessary and appropriate with any information about a personal data breach and/or compliance with the requirements for breach notification.
  • Organisations covered under the GPDR must be able to demonstrate compliance.
  • Processors must have the written approval of the Controller before using sub-Processors.
  • Processors must inform Controllers of any relevant changes to any approved sub-processing.
  • Organisations face fines, penalties, orders and/or sanctions as a result of violating GDPR requirements.
Statutes and Laws
  • EU GENERAL DATA PROTECTION REGULATION (GDPR): REGULATION (EU) 2016/679
BAck to map