29
2019
Data Protection
(a) notify the Data Commissioner without delay,
within seventy-two hours of becoming aware of
such breach; and
(b) subject to subsection (3), communicate to the data
subject in writing within a reasonably practical
period, unless the identity of the data subject
cannot be established.
(2) Where the notification to the Data Commissioner
is not made within seventy-two hours, the notification shall
be accompanied by reasons for the delay.
(3) Where a data processor becomes aware of a
personal data breach, the data processor shall notify the
data controller without delay and where reasonably
practicable, within forty-eight hours of becoming aware of
such breach.
(4) The data controller may delay or restrict
communication referred to under subsection (1) (b) as
necessary and proportionate for purposes of prevention,
detection or investigation of an offence by the concerned
relevant body.
(5) The notification and communication referred to
under subsection (1) shall provide sufficient information to
allow the data subject to take protective measures against
the potential consequences of the data breach, including —
(a) description of the nature of the data breach;
(b) description of the measures that the data controller
or data processor intends to take or has taken to
address the data breach;
(c) recommendation on the measures to be taken by
the data subject to mitigate the adverse effects of
the security compromise;
(d) where applicable, the identity of the unauthorised
person who may have accessed or acquired the
personal data; and
(e) the name and contact details of the data protection
officer where applicable or other contact point
from whom more information could be obtained.
(6) The communication of a breach to the data subject
shall not be required where the data controller or data
No.
!