Commission Regulation (EU) No 611/2013 of 24 June 2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications
Commission Regulation (EU) No 611/2013of 24 June 2013on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communicationsTHE EUROPEAN COMMISSION,Having regard to the Treaty on the Functioning of the European Union,Having regard to Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)OJ L 201, 31.7.2002, p. 37., and in particular Article 4(5) thereof,Having consulted the European Network and Information Security Agency (ENISA),Having consulted the Working Party on the Protection of Individuals with regard to the Processing of Personal Data established by Article 29 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such dataOJ L 281, 23.11.1995, p. 31. (the Article 29 Working Party),Having consulted the European Data Protection Supervisor (EDPS),Whereas:(1)Directive 2002/58/EC provides for the harmonisation of the national provisions required to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy and confidentiality, with respect to the processing of personal data in the electronic communication sector and to ensure the free movement of such data and of electronic communication equipment and services in the Union.(2)Under Article 4 of Directive 2002/58/EC, providers of publicly available electronic communications services are obliged to notify the competent national authorities, and in certain cases also the subscribers and individuals concerned, of personal data breaches. Personal data breaches are defined in Article 2(i) of Directive 2002/58/EC as breaches of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the Union.(3)In order to ensure consistency in implementation of the measures referred to in Article 4(2), (3) and (4) of Directive 2002/58/EC, Article 4(5) thereof empowers the Commission to adopt technical implementing measures concerning the circumstances, format and procedures applicable to the information and notification requirements referred to in that Article.(4)Different national requirements in this regard may lead to legal uncertainty, more complex and cumbersome procedures and significant administrative costs for providers operating cross-border. The Commission therefore considers it necessary to adopt such technical implementing measures.(5)This Regulation is limited to the notification of personal data breaches and therefore does not set out technical implementing measures concerning Article 4(2) of Directive 2002/58/EC on informing the subscribers in case of a particular risk of a breach of the security of the network.(6)It follows from the first subparagraph of Article 4(3) of Directive 2002/58/EC that providers should notify to the competent national authority all personal data breaches. Therefore, no discretion should be left to the provider whether or not to notify to the competent national authority. However, this should not prevent the competent national authority concerned from prioritising the investigation of certain breaches in the way it sees fit in accordance with the applicable law, and to take steps as necessary to avoid over- or under-reporting of personal data breaches.(7)It is appropriate to provide for a system for the notification of personal data breaches to the competent national authority, which consists, where certain conditions are fulfilled, of various stages, each subject to certain time limits. This system is meant to ensure that the competent national authority is informed as early and as fully as possible, without however unduly hindering the provider in its efforts to investigate the breach and to take the necessary measures to confine it and remedy the consequences thereof.(8)Neither a simple suspicion that a personal data breach has occurred, nor a simple detection of an incident without sufficient information being available, despite a provider’s best efforts to this end, suffices to consider that a personal data breach has been detected for the purposes of this Regulation. Particular regard should be had in this connection to the availability of the information referred to in Annex I.(9)In the context of the application of this Regulation the competent national authorities concerned should cooperate in cases of personal data breaches having a cross-border dimension.(10)This Regulation does not provide for additional specification of the inventory of personal data breaches that providers are to maintain, given that Article 4 of Directive 2002/58/EC specifies its content exhaustively. However, providers may refer to this Regulation to determine the format of the inventory.(11)All competent national authorities should make available a secure electronic means for providers to notify personal data breaches in a common format, based on a standard such as XML, containing the information set out in Annex I in the relevant languages, so as to enable all providers within the Union to follow a similar notification procedure irrespective of where they are located or where the personal data breach occurred. In this connection, the Commission should facilitate the implementation of the secure electronic means by convening meetings with the competent national authorities where necessary.(12)When assessing whether a personal data breach is likely to adversely affect the personal data or privacy of a subscriber or individual, account should be taken, in particular, of the nature and content of the personal data concerned, in particular where the data concerns financial information, such as credit card data and bank account details; special categories of data referred to in Article 8(1) of Directive 95/46/EC; and certain data specifically related to the provision of telephony or internet services, i.e. e-mail data, location data, internet log files, web browsing histories and itemised call lists.(13)In exceptional circumstances, the provider should be permitted to delay the notification to the subscriber or individual, where the notification to the subscriber or individual may put at risk the proper investigation of the personal data breach. In this context, exceptional circumstances may include criminal investigations, as well as other personal data breaches that are not tantamount to a serious crime but for which it may be appropriate to postpone notification. In any event, it should be for the competent national authority to assess, in each case and in the light of the circumstances, whether to agree to the postponement or require the notification.(14)While providers should have contact details of their subscribers, given their direct contractual relationship, such information may not exist for other individuals adversely affected by the personal data breach. In such a case, the provider should be permitted to notify those individuals initially through advertisements in major national or regional media, such as newspapers, to be followed as soon as possible by an individual notification as provided for in this Regulation. The provider is therefore not obliged as such to notify through media, but rather is mandated to act in this way, if it so wishes, when it is still in the process of identifying all individuals affected.(15)The information about the breach should be dedicated to the breach and not associated with information about another topic. For example, inclusion of information about a personal data breach in a regular invoice should not be considered as an adequate means to notify a personal data breach.(16)This Regulation does not set out specific technological protection measures that justify derogation from the obligation to notify personal data breaches to subscribers or individuals, as these may change over time as technology advances. The Commission should, however, be able to publish an indicative list of such specific technological protection measures according to current practices.(17)Implementing encryption or hashing should not be considered sufficient by itself to allow providers to claim more broadly they have fulfilled the general security obligation set out in Article 17 of Directive 95/46/EC. In this regard, providers should also implement adequate organisational and technical measures to prevent, detect and block personal data breaches. Providers should consider any residual risk that may be present after controls have been implemented in order to understand where personal data breaches may potentially occur.(18)Where the provider uses another provider to perform part of the service, for example in relation to billing or management functions, this other provider, which has no direct contractual relationship with the end user, should not be obliged to issue notifications in the case of a personal data breach. Instead, it should alert and inform the provider with which it has a direct contractual relationship. This should apply also in the context of wholesale provision of electronic communications services, when typically the wholesale provider does not have a direct contractual relationship with the end user.(19)Directive 95/46/EC defines a general framework for personal data protection in the European Union. The Commission has presented a proposal for a Regulation of the European Parliament and of the Council to replace Directive 95/46/EC (the Data Protection Regulation). The proposed Data Protection Regulation would introduce an obligation for all data controllers to notify personal data breaches, building on Article 4(3) of Directive 2002/58/EC. The present Commission Regulation is fully consistent with this proposed measure.(20)The proposed Data Protection Regulation also makes a limited number of technical adjustments to Directive 2002/58/EC to take account of the transformation of Directive 95/46/EC into a Regulation. The substantive legal consequences of the new Regulation for the Directive 2002/58/EC will be the object of a review by the Commission.(21)The application of this Regulation should be reviewed three years after its entry into force, and its content reviewed in the light of the legal framework in place at that time, including the proposed Data Protection Regulation. The review of this Regulation should be linked where possible to any future review of Directive 2002/58/EC.(22)The application of this Regulation may be assessed based, inter alia, on any statistics maintained by competent national authorities of the personal data breaches of which they are notified. These statistics may include, for example, information on number of personal data breaches notified to the competent national authority, number of personal data breaches notified to the subscriber or individual, the time taken to resolve the personal data breach, and whether technological protection measures were taken. These statistics should provide the Commission and the Member States with consistent and comparable statistical data, and should reveal neither the identity of the notifying provider nor of the subscribers or individuals involved. The Commission may also hold regular meetings with competent national authorities and other interested stakeholders for this purpose.(23)The measures provided for in this Regulation are in accordance with the opinion of the Communications Committee,HAS ADOPTED THIS REGULATION: