Privacy & Information Security Law Blog

On February 12, 2018, the Luxembourg data protection authority (Commission nationale pour la protection des donées, “CNPD”) published on its website (in English and French) a form to be used for the purpose of compliance with data breach notification requirements applicable under the EU General Data Protection Regulation (the “GDPR”). The CNPD also published questions and answers (“Q&As”) regarding the requirements.

Pursuant to the GDPR, data controllers must notify the competent supervisory authority of a data breach within 72 hours of becoming aware of it, if the breach is likely to result in a risk to the rights and freedoms of individuals. Though breach notification is currently not required under the EU Data Protection Directive 95/46/EC, the CNPD has already published the form to assist companies with breach reporting prior to the GDPR coming into force.

For the time being, breach notifications can be sent to databreach@cnpd.lu. Alternative methods are currently under discussion. Notifications will be processed by the CNPD informally until the GDPR becomes directly applicable. Upon receipt, the CNPD will send an acknowledgement of receipt to the data controller, review the form, verify its authenticity and ask the controller any relevant questions, if necessary.

The form provides a series of questions for affected organizations, which are designed to incorporate the requirements of Article 33 of the GDPR. Organizations are not strictly required to use the exact form prepared by the CNPD, but must ensure that any form they do use complies with Article 33 of the GDPR.

In its Q&As, the CNPD also explains that data controllers must document any privacy breach, even those that are not reported to the CNPD. Such documentation must include the facts surrounding the breach, its impact and measures taken to mitigate them. The CNPD may request access to such documentation.