ALF - Legal services in Africa > Articles > Personal data > RGPD – Data breaches, what are my start-up’s obligations?

RGPD – Data breaches, what are my start-up’s obligations?

23 January 2024
Posted by: Kelly HAZAN
Category: Personal data

STARTUPS, WHAT ARE YOUR OBLIGATIONS IN THE EVENT OF A PERSONAL DATA BREACH?

Implementing security measures is an obligation imposed by the RGPD. What is a personal data breach? How to react? What are my obligations as a data controller? What are my obligations when my startup acts as a subcontractor?

The aim of this article is to give you the reflexes you need to adopt in the event of a personal data breach.

1. What is a personal data breach?

A personal data breach corresponds to any action, whether intentional or not, that undermines the confidentiality, integrity, or availability of personal data (Article 33 of the RGPD).

Examples: loss of a document containing personal data, malicious entry into a database.

A security flaw is a broader concept that corresponds to a vulnerability within an information system (IS) that, if exploited, could jeopardize its integrity.

Examples: SQL injection, phishing, ransomware, …

Security breaches do not always affect personal data, and therefore do not always result in a data breach. It is therefore necessary to analyze the data affected by the security flaw.

2. What are your obligations as Data Controller?

The startup acting as data controller must comply with the following obligations:

a. Obligation to notify the supervisory authority

The startup is obliged to notify the competent supervisory authority of any breaches of the data it processes, where there is a risk to the persons concerned.

When to notify? Obligation to notify the supervisory authority within 72 hours of becoming aware of the personal data breach.

Warning: Startups processing personal data of individuals located in France: Link to the CNIL form: https: //notifications.cnil.fr/notifications/index. This CNIL notification form requires you to specify the reasons for the delay. The CNIL requires a new 72-hour period between the initial notification and the additional notification.

b. Obligation to inform data subjects

Where there is a high risk to the rights and freedoms of data subjects, the startup is obliged to communicate the occurrence of a data breach to those concerned.

How soon? This communication to the people concerned must be made as soon as possible.

Communication content:

Description, in clear and simple terms, of the nature of the personal data breach;
Name and contact details of data protection officer or other point of contact from whom further information can be obtained;
Description of the likely consequences of the personal data breach ;
Description of the measures taken or proposed to be taken by the controller to remedy the personal data breach, including, where appropriate, measures to mitigate any negative consequences.

In some cases, it may be necessary to distinguish between data subjects who need to be informed and data subjects who, because of one of the exceptions below, do not need to be informed if :

Appropriate technical and organizational protection measures have been taken (e.g. encryption or pseudonymization);
Subsequent measures ensure that the high risk is no longer likely to recur;
Communication to the people concerned would require disproportionate effort (in which case public communication would be appropriate).

c. Obligation to keep a register of personal data breaches

The RGPD requires the startup to document any data breach to enable the supervisory authority to carry out an a posteriori check of all personal data breaches. The startup must therefore keep a register of personal data breaches.

When? This register must be kept on an ongoing basis, and the startup must record all data breaches that have occurred.

Sign up for training to become RGPD compliant!

REGISTRATION

3. What are your obligations as a subcontractor?

When the startup acts as a subcontractor within the meaning of the RGPD, its obligations related to data breaches are not the same. In practice, a startup that hosts personal data on behalf of a data controller, or that provides a SaaS platform, processes personal data solely on behalf of data controller companies. The starup, which is therefore acting as a Subcontractor within the meaning of the RGPD (regardless of its location), will have to comply with the obligations incumbent on it in the event of a personal data breach by its client companies.

The startup acting as a Processor within the meaning of the RGPD has an obligation to inform the controller of the personal data concerned that a data breach has occurred.

When? inform the data controller? The Subcontractor is obliged to inform the Data Controller as soon as possible.

Warning: a deadline may be contractually imposed by the Data Controller on the Subcontractor. In fact, when the Data Controller and the Subcontractor enter into a contract that includes a clause relating to the protection of personal data (Article 28 of the RGPD), they may stipulate that the Subcontractor must inform the Data Controller within a certain period (for example: 48 hours).

4. Our advice :

When the startup acts as a Data Controller, it is recommended to :

implement a personal data breach management policy internally, in order to better manage data breaches and to be informed quickly if a data breach occurs.
complete an initial notification to the CNIL, which will be supplemented “as soon as possible” by an additional notification.

When the startup acts as a Subcontractor, it is recommended not to carry out any notification to the supervisory authority or communication to data subjects on behalf of the Data Controller. The RGPD does not impose these obligations on the startup acting as a Subcontractor.

5. WHY MUST YOU COMPLY WITH THESE RGPD OBLIGATIONS?

Data security is an extremely important issue, which has an impact on relations with the startup’s customers, partners and service providers.

The point of complying with these RGPD obligations is to avoid:

Financial penalties of up to 20 million euros or 4% of worldwide annual sales, whichever is higher, and made public;
Publicizing the penalty for a security breach or failure to notify a personal data breach, which will have negative consequences for the startup’s image and reputation.

For example: in France, the Penal Code provides for criminal penalties of up to 5 years’ imprisonment and a €1.5 million fine for corporate bodies.

References :

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;

Guidelines, recommendations and best practices published by the European Data Protection Committee (EDPS);

Article 29 Working Party (G29) guidelines approved by the EDPS.

Form : I would like to be assisted in my personal data protection compliance project

En remplissant ce formulaire de contact, African Legal Factory recueille et traite vos données à caractère personnel en tant que responsable de traitement afin de répondre à toutes vos interrogations. Vous disposez sur vos données d’un droit d’accès, de rectification, d’opposition, à l’effacement, à la limitation, à la portabilité et de donner des directives sur le sort de vos données après votre décès. Pour plus d’information relative au traitement de vos données personnelles veuillez consulter notre Politique de Confidentialité. [Privacy Policy]

Cookie	Duration	Description
__stripe_mid		Stripe sets this cookie to process payments.
__stripe_sid		Stripe sets this cookie to process payments.
_abck		This cookie is used to detect and defend against replay attempts. This cookie manages interaction with online robots and takes appropriate action.
ak_bmsc		This cookie is used by Akamai to optimize site security by distinguishing between humans and robots.
bm_sz		This cookie is set by the Akamai Bot Manager provider. This cookie is used to manage interaction with online bots. It also contributes to fraud prevention.
cookielawinfo-checkbox-analytics		Defined by the GDPR Cookie Consent plugin, this cookie is used to record user consent for cookies in the "Analytics" category .
cookielawinfo-checkbox-functional		Defined by the GDPR Cookie Consent plugin, this cookie is used to store user consent for cookies in the "Functional" category.
cookielawinfo-checkbox-indispensable		The cookie is set by the GDPR cookie consent plugin to record the user's consent for cookies in the "Indispensable" category.
cookielawinfo-checkbox-necessary		Defined by the GDPR Cookie Consent plugin, this cookie is used to record the user's consent for cookies in the "Necessary" category .
cookielawinfo-checkbox-others		Defined by the GDPR Cookie Consent plugin, this cookie is used to store user consent for cookies in the "Other" category.
CookieLawInfoConsent		Saves the state of the default button for the corresponding category and the state of the CCAC. It only works in coordination with the primary cookie.
redux_blast		This cookie is necessary for the operation of certain WordPress theme elements that make the website appear in the most optimal way for the visitor's device.

Cookie	Duration	Description
_ga		The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also tracks site usage for the site analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_5BN1MYEN2Y		This cookie is set by Google Analytics.
_gat_gtag_UA_157972103_1		Defined by Google to distinguish users.
_gid		Installed by Google Analytics, the _gid cookie stores information about how visitors use a website, while creating an analytical report of site performance. The data collected includes the number of visitors, where they come from and the pages they visit anonymously.
CONSENT		YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
last_pys_landing_page		Anonymous cookie used to facilitate the "PixelYourSite" plugin that manages our analytics services.
last_pysTrafficSource		Anonymous cookie used to facilitate the "PixelYourSite" plugin that manages our analytics services.
pys_first_visit		Anonymous cookie used to facilitate the "PixelYourSite" plugin that manages our analytics services.
pys_landing_page		Anonymous cookie used to facilitate the "PixelYourSite" plugin that manages our analytics services.
pys_session_limit		Anonymous cookie used to facilitate the "PixelYourSite" plugin that manages our analytics services.
pys_start_session		Anonymous cookie used to facilitate the "PixelYourSite" plugin that manages our analytics services.

Cookie	Duration	Description
_mcid		This is a Mailchimp functionality cookie used to evaluate UI/UX interaction with its platform.
bm_sv		This cookie is required for Akamai's cache function. A cache is used by the website to optimize the response time between the visitor and the website. The cache is usually stored on the visitor's browser. User bandwidth results are stored in this cookie to ensure that the bandwidth test is not repeated for the same user multiple times for the Akamai cache function.
cookies.js		No description available.
m		This cookie is set by stripe.
mailchimp_landing_site		This cookie is set by MailChimp to record the page the user visited for the first time.
pysTrafficSource		Anonymous cookie used to facilitate the "PixelYourSite" plugin that manages our analytics services.
stm_lms_courses_watched		No description
wmc_current_currency		save currency settings.
wp_woocommerce_session_b80c8f798ec84ed7476594d4acafc57c		Contains a unique code for each customer, so you know where to find the basket data in the database for each customer.