Article 34 of the GDPR mandates the data controller, in case of data breach, to communicate the data subject about such breach without undue delay. The said communication must be in clear and in plain language the nature of the personal data breach and must contain the information and measures taken after such breach.
However, such communication is not required in case any of the following conditions are met-
- The controller has implemented appropriate technical and organisational protection measures and those measures were applied to the personal data affected by the personal data breach, in particular those that renders the personal data unintelligible to any person who is not authorised to access it, such as encryption;
- The controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subject is no longer likely to materialise;
- It would involve disproportionate effort. In such a case there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
In general the data controller is required to take all possible measures and steps in order to protect the personal data of the individual. Article 33 & 34 are usually to be read together in order to understand the responsibility of the data controller.
Picture Credit-https://www.privacypolicies.com/