Skip to main content

Personal data breaches: guidelines to support data controllers released


The Spanish Data Protection Authority (AEPD) has just released a tool to help data control-lers decide whether to communicate or not a data breach to data subjects.

‘Comunica-Brecha RGPD’ aims to promote transparency and accountability among control-lers and allow data subjects impacted by a security breach to know when their rights and freedoms may be at risk.

With such a resource, any organization can assess their obligation to inform natural persons affected by a security breach of personal data, as established in article 34 of the General Data Protection Regulation (GDPR).

The tool is free and easy to use and is based on a short form whose responses can indicate if there is a risk associated with a security breach. Once its execution is completed, the in-formation and data provided during its completion are eliminated and so the DPA cannot keep track of the information that has been provided. In no case does the DPA store the data entered during the process. The DPA reminds that the tool is an aid to decision-making, but the final decision inevitably corresponds to the data controller and in no case its use repre-sents the opinion of the DPA on the application of art. 34 of the GDPR for a specific security breach.

When completing the form, and depending on the information that has been provided, the tool offers as a response three possible scenarios: that the data subjects should be notified of the security breach when a high risk is identified; that such communication is not neces-sary, or that the level of risk cannot be determined.

The use of this tool does not replace in any case the necessary assessment of the level of risk by the controller, who is the one who best knows the details of the personal data pro-cessing carried out, the characteristics of the data subjects, the circumstances of the securi-ty breach and the rest of the factors that allow to obtain an accurate risk assessment. Simi-larly, the DPA reminds that the use of the tool to facilitate decision-making related to the obligation to communicate security breaches to the subjects is independent of the obliga-tion to notify said breach to the supervisory authority.


Article provided by: Belén Arribas (Spain)



Discover more about INPLP, the INPLP-Members and the GDPR-FINE database

Dr. Tobias Höllwarth (Managing Director INPLP)

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.


About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.