Data controllers must:
Notify their supervisory data protection authority (“DPA”) of personal data breaches without undue delay and, where feasible, not later than 72 hours of learning of a data breach. Exception: Controllers are not required to report if the breach is unlikely to result in the risk to the rights and freedoms of natural persons.
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Controller shall communicate the personal data breach to the data subject without undue delay. Exceptions:
1) where the breach is unlikely to result in a high risk for the rights and freedoms of data subjects;
2) the Controller had implemented appropriate technical and organisational protection measures that were in place at the time of the incident such as encryption;
or 3) where the notification would involve disproportionate efforts, controllers should inform data subjects by a public communication or similar measures. Processors must report breaches of personal data to Controllers without undue delay.