Skip to main content
European Citizens' Initiative

Data Protection Guidance - Question 11

Go back to the main page of the Data Protection Guidance for the organisers


Data Protection Guidance - Question 11

What should you do in case of a personal data breach?  

Applies to Case Scenario 2, except as regards the use of the Commission’s file exchange service

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to, personal data transmitted, stored or processed.

Notification of the data breach

In case of a personal data breach, the representative of the group of organisers must without delay and in principle no later than 72 hours after having become aware of it notify the personal data breach to the competent data protection authority, unless it is unlikely to result in a risk to the rights and freedoms of natural persons.

The notification must include at least:

  • a description of the data breach, including the numbers of signatories affected and the categories of data affected;
  • the name and contact details of the Data Protection Officer (or other relevant point of contact);
  • the likely consequences of the data breach after considering the subject matter; and
  • any measures taken by the controller to remedy or mitigate the breach.

Where it is not possible to provide the information at the same time, the information may be provided in phases without delay.

The representative must also document the facts, their effects and the remedial actions already taken (or to be taken urgently, providing the planning for them).

Risks to rights and freedoms

Moreover, when the breach is likely to result in a high risk to the rights and freedoms of signatories, they must be informed accordingly, except when:

  • the implemented measures (like encryption, provided the key is not compromised) have made the data unintelligible or ensure that risks are not likely to materialise anymore, or
  • individual communication to signatories would involve disproportionate efforts. In such case, a public notice of the breach, whereby the signatories are informed could be made instead.


In case of data processing under joint controllership with the Commission, and unless the data breach is imputable to the conduct of the members of the group of organisers, the obligations above are fulfilled by the Commission. The group of organisers should assist, if necessary and to the extent possible, the Commission in managing personal data breaches.


Want to learn and collaborate?