The controller must communicate to the national authority and to the data subject the occurrence of a security incident that may create risk or relevant damage to the data subjects.
§1 The communication shall be done in a reasonable time period, as defined by the national authority, and shall contain, at the very least:
I – a description of the nature of the affected personal data;
II – information on the data subjects involved;
III – an indication of the technical and security measures used to protect the data, subject to commercial and industrial secrecy;
IV – the risks related to the incident;
V – the reasons for delay, in cases in which communication was not immediate; and
VI – the measures that were or will be adopted to reverse or mitigate the effects
of the damage.
§2 The national authority shall verify the seriousness of the incident if necessary to safeguard the data subjects’ rights, it may order the controller to adopt measures, such as:
I – broad disclosure of the event in communications media; and
II – measures to reverse or mitigate the effects of the incident.
§3 When judging the severity of the incident, there will be an analysis of eventual demonstrations that, within the scope and the technical limits of the services, adequate technical measures were adopted to render the affected personal data unintelligible to third parties who were not authorized to access them.