38—Notification to Data Commissioner

38.

(1) A notification by data controller to the Data Commissioner of a notifiable data breach under section 43 of the Act shall include—

(a)  the date on which and the circumstances in which the data controller or data processor first became aware that the data breach had occurred;

(b)  a chronological account of the steps taken by the data controller or data processor after the data controller or data processor became aware that the data breach had occurred, including the data controller or data processor’s assessment that the data breach is a notifiable data breach;

(c) details on how the notifiable data breach occurred, where applicable;

(d)  the number of data subjects or other persons affected by the notifiable data breach;

(e)  the personal data or classes of personal data affected by the notifiable data breach;

(f)  the potential harm to the affected data subjects as a result of the notifiable data breach;

(g)  information on any action by the data controller or data processor, whether taken before or to be taken after the data controller or data processor notifies the Data Commissioner of the occurrence of the notifiable data breach to—

(i)  eliminate or mitigate any potential harm to any affected data subject or other person as a result of the notifiable data breach; or

(ii)  address or remedy any failure or shortcoming that the data controller or data processor believes to have caused, or enabled or facilitated the occurrence of, the notifiable data breach;

(h)  the affected individuals or the public that the notifiable data breach has occurred and how an affected data subject may eliminate or mitigate any potential harm as a result of the notifiable data breach; or

(i)  contact information of an authorized representative of the data controller or data processor.

(2) Where the data controller intends not to communicate a notifiable data breach to a data subject affected by such breach, under the conditions set out in section 43(1) (b) of the Act, the notification to the Data Commissioner under sub-regulation (1) shall additionally specify the grounds for not notifying the affected data subject.

120  PART VI—NOTIFICATION OF PERSONAL DATA BREACHES