Page contents Page contents Tweġiba Il-ksur ta' data jseħħ meta d-data li tagħha tkun responsabbli l-kumpanija/organizzazzjoni tiegħek iġġarrab inċident għas-sigurtà li jirriżulta fi ksur tal-kunfidenzjalità, tad-disponibbiltà jew tal-integrità. Jekk dak iseħħ, u aktarx li l-ksur joħloq riskju għad-drittijiet u l-libertajiet tal-individwu, il-kumpanija/organizzazzjoni tiegħek għandha tinnotifika lill-awtorità superviżorja mingħajr dewmien bla bżonn, u mhux aktar tard minn 72 siegħa wara li tkun saret taf bil-ksur. Jekk il-kumpanija/organizzazzjoni tiegħek hija proċessur tad-data għandha tinnotifika kull ksur ta' data lill-kontrollur tad-data. Jekk il-ksur ta' data joħloq riskju għoli għal dawk l-individwi affettwati mela għandhom jiġu informati huma wkoll, sakemm ma jkunx hemm miżuri protettivi tekniċi u organizzazzjonali effettivi li jkunu ddaħħlu fis-seħħ, jew miżuri oħra, li jiżguraw li r-riskju m'għadux aktar probabbli li jimmaterjalizza. Bħala organizzazzjoni huwa vitali li timplimenta miżuri tekniċi u organizzazzjonali xierqa biex tevita l-possibilità li jkun hemm ksur ta' data. Eżempji L-organizzazzjoni għandha tinnotifika lill-APD u lill-individwiId-data tal-impjegati ta' kumpanija tat-tessuti ġiet żvelata. Id-data kienet tinkludi l-indirizzi personali, it-tip ta' familja, is-salarju fix-xahar u t-talbiet mediċi ta' kull impjegat. F'dak il-każ, il-kumpanija tat-tessuti għandha tinforma lill-awtorità superviżorja dwar il-ksur. Billi d-data personali tinkludi data sensittiva, bħad-data dwar is-saħħa, il-kumpanija għandha tinnotifika wkoll lill-impjegati. Impjegat tal-isptar jiddeċiedi li jikkopja d-dettalji tal-pazjenti fuq CD u jippubblikahom onlajn. L-isptar isir jaf b'dan xi ftit jiem wara. Hekk kif l-isptar isir jaf b'dan, ikollu 72 siegħa biex jinforma lill-awtorità superviżorja u, billi d-dettalji personali fihom informazzjoni sensittiva bħal jekk il-pazjent għandux kanċer, huwiex mara tqila, eċċ., għandu jinforma wkoll lill-pazjenti. F'dak il-każ, huwa dubjuż jekk l-isptar implimentax miżuri protettivi tekniċi u organizzazzjonali xierqa. Kieku verament implimenta miżuri protettivi xierqa (pereżempju kriptaġġ tad-data), il-wisq probabbli ma jkunx hemm riskju u l-isptar seta' jkun eżenti milli jinnotifika lill-pazjenti. Il-kumpanija għandha tinnotifika lill-klijenti u mbagħad huma jaf ikunu jridu jinnotifikaw lid-APD u lill-individwiServizz ta' cloud jitlef diversi hard drives li jkun fihom id-data personali li tappartjeni għal bosta mill-klijenti tiegħu. Dan għandu jinnotifika lil dawk il-klijenti hekk kif isir jaf dwar il-ksur ta' data. Il-klijenti għandhom jinnotifikaw lill-APD u lill-individwi skont id-data li tkun ġiet ipproċessata mill-proċessur ta' data. Referenzi Linji Gwida tal-EDPB dwar in-notifika ta’ ksur tad-dejta personali skont ir-Regolament 2016/679 Artikoli 4(12), 33, 34; Premessi 85, 86, 87, 88 Examples Organisation must notify the DPA and individuals The data of a textile company’s employees has been disclosed. The data included the personal addresses, family composition, monthly salary and medical claims of each employee. In that case, the textile company must inform the supervisory authority of the breach. Since the personal data includes sensitive data, such as health data, the company has to notify the employees as well. A hospital employee decides to copy patients’ details onto a CD and publishes them online. The hospital finds out a few days later. As soon as the hospital finds out, it has 72 hours to inform the supervisory authority and, since the personal details contain sensitive information such as whether a patient has cancer, is pregnant, etc., it has to inform the patients as well. In that case, there would be doubts about whether the hospital has implemented appropriate technical and organisational protection measures. If it had indeed implemented appropriate protection measures (for example encrypting the data), a material risk would be unlikely and it could be exempt from notifying the patients. Company must notify clients and they may then have to notify the DPA and individuals A cloud service loses several hard drives containing personal data belonging to several of its clients. It has to notify those clients as soon as it becomes aware of the breach. Its clients must notify the DPA and the individuals depending on the data that was processed by the data processor. References EDPB Guidelines on Personal data breach notification under Regulation 2016/679 Article 4(12) and Articles 33 and 34 and Recitals (85) to (88) of the GDPR
