This instrument has been newly introduced in the EU by the GDPR. Some national jurisdictions already foresaw similar, but less strict regulations, for example the previous art. 42a of the German Federal Data Protection Act, which will be followed by art. 65 and 66 FDPA-new (new German Federal Data Protection Act). In case of a personal data breach, the controller has to notify the supervisory authority without undue delay and, where feasible, within 72 hours after having become aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. The processor has the same notification duty but without the 72 hours rule. The content of the notification is outlined in detail in the GDPR and encompasses information about the breach (nature, where possible categories and approximate number of data subjects and data recrods concerned, likely consequences, measures taken/proposed to address the breach or mitigate its adverse effects) as well as the name and contact details of a person at the company responsible for additional information or the data protection officer if one has been appointed. When the breach is likely to result in a high risk to the rights and freedoms of natural persons, the data subject has to be informed as well.
