Dreaded by every company, but always topical: the data protection mishap. The great fear of a data protection breach often results from a lack of knowledge about how to deal with such a situation.

Learn what to do and the importance of having an emergency plan here.

Detect data protection breach

First of all, it is important to recognize the data protection breach in the company in the first place. In the case of a data protection breach, the protection of personal data is violated. However, not every such incident is reportable. Rather, in the case of a reportable data privacy breach, data security must also have been violated. In other words, measures taken to protect data must have failed, so that the confidentiality, availability or integrity of the personal data has been breached. Such a case exists, for example, if data is accidentally destroyed or lost, if unauthorized persons gain access or if data is unlawfully modified. This does not have to be caused by an employee of the company, but can also be triggered by an external service provider.

Report data privacy breach

Article 33 of the GDPR stipulates that a data protection breach must be reported to the supervisory authority without delay within 72 hours. An exception to this is when there is likely to be no risk to the rights and freedoms of the data subjects.

Risk assessment

The exception requires that the data controller can correctly assess the data protection breach. To do this, he or she must perform a risk assessment. This must consider how severe the potential damage is and how likely it is that it will occur. To determine the risk, the Data Protection Conference (DSK) a short paper published.

Regardless of this risk assessment, however, the data protection breach must at least be documented.

Notification to the supervisory authority

If the data breach is reportable, it must be reported to the competent supervisory authority in accordance with Art. 33 III GDPR. The GDPR also regulates which information must then be provided. In addition, there are notification forms of the individual supervisory authorities of the federal states.

If there is a high risk, the potentially affected persons must also be notified.


In the event of a data protection incident, there are many things that need to be considered and acted upon quickly. A strict emergency plan is indispensable. Your data protection officer can best help you develop and implement this plan. Once the plan is in place and all employees are sufficiently informed and sensitized, the issue of a data protection incident is one less thing to worry about.

Your company is not yet fit in the topic of data protection? We offer not only the service of external data protection officers, but also Online trainingWe offer live training and consulting on all aspects of data protection and data security. Contact us!

DSB buchen