Dáil Éireann Debate, Thursday - 18 April 2019
128. Deputy Pearse Doherty asked the Minister for Justice and Equality the penalties that can be imposed on a company for falsely informing clients that a data breach of their personal data had been reported to the Data Protection Commissioner when it had not been reported at the time; and if he will make a statement on the matter. [18105/19]
View answerI am advised that Article 33 of the General Data Protection Regulation (GDPR) imposes an obligation on data controllers to notify a personal data breach to the Data Protection Commission without undue delay and, where feasible, not later than 72 hours after having become aware of it unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. The notification should include a description of the breach and its likely consequences, as well as the contact details of the data protection officer or other contact point from which additional information may be obtained. The notification should also describe the measures taken, or proposed to be taken, to address the breach and to mitigate possible adverse effects. Moreover, where a personal data breach is likely to result in high risk to the rights and freedoms of individuals, the data controller is required under Article 34 to communicate the breach to the individuals concerned. Article 58.2(e) of the GDPR confers a power on the Data Protection Commission to order a data controller to communicate a personal data breach to data subjects.
Article 83 of the GDPR provides for the imposition of administrative fines on data controllers in the case of infringements of GDPR provisions. Section 141 of the Data Protection Act 2018 provides for the imposition of such fines, which shall be effective, proportionate and dissuasive, by the Data Protection Commission in this jurisdiction.
