Chapter IV, Section 2, Article 31, Paragraph 1

Text

en In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 24 hours after having become aware of it, notify the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours.

de Bei einer Verletzung des Schutzes personenbezogener Daten benachrichtigt der für die Verarbeitung Verantwortliche die Aufsichtsbehörde ohne unangemessene Verzögerung und nach Möglichkeit binnen 24 Stunden nach Feststellung der Verletzung. Falls die Meldung an die Aufsichtsbehörde nicht binnen 24 Stunden erfolgt, ist dieser eine Begründung beizufügen.

fr En cas de violation de données à caractère personnel, le responsable du traitement en adresse notification à l'autorité de contrôle sans retard injustifié et, si possible, 24 heures au plus tard après en avoir pris connaissance. Lorsqu'elle a lieu après ce délai de 24 heures, la notification comporte une justification à cet égard.

es En caso de violación de datos personales, el responsable del tratamiento la notificará a la autoridad de control sin demora injustificada y, de ser posible, a más tardar veinticuatro horas después de que haya tenido constancia de ella. Si no se hace en el plazo de veinticuatro horas, la notificación a la autoridad de control irá acompañada de una justificación motivada.

pt Em caso de violação de dados pessoais, o responsável pelo tratamento notifica desse facto a autoridade de controlo, sem demora injustificada e, sempre que possível, o mais tardar 24 horas após ter tido conhecimento da mesma. Caso a notificação à autoridade de controlo não seja transmitida no prazo de 24 horas, deve ser acompanhada de uma justificação razoável.

it In caso di violazione dei dati personali, il responsabile del trattamento notifica la violazione all’autorità di controllo senza ritardo, ove possibile entro 24 ore dal momento in cui ne è venuto a conoscenza. Qualora non sia effettuata entro 24 ore, la notificazione all’autorità di controllo è corredata di una giustificazione motivata.

ga I gcás ina ndéantar sárú i ndáil le sonraí pearsanta, tabharfaidh an rialaitheoir fógra don údarás maoirseachta faoin sárú sin gan moill mhíchuí agus, nuair is féidir, tráth nach déanaí ná 24 uair tar éis don rialaitheoir a thuiscint gur tharla an sárú. Gabhfaidh cosaint réasúnaithe leis an bhfógra don údarás maoirseachta i gcás nach dtugtar an fógra sin laistigh de 24 uair.

cs Dojde-li k narušení bezpečnosti osobních údajů, správce jej ohlásí orgánu dozoru, a to bez zbytečného odkladu, a je-li to možné, nejpozději do 24 hodin od chvíle, kdy toto narušení zjistil. Pokud není případ ohlášen orgánu dozoru do 24 hodin, k ohlášení je třeba připojit odůvodnění.

da Ved brud på persondatasikkerheden anmelder den registeransvarlige uden unødig forsinkelse og om muligt senest 24 timer, efter at denne er blevet bekendt med det, bruddet på persondatasikkerheden til tilsynsmyndigheden. Anmeldelsen til tilsynsmyndigheden ledsages af en begrundelse, hvis den ikke er indgivet inden for 24 timer.

et Vastutav töötleja teavitab järelevalveasutust isikuandmetega seotud rikkumisest põhjendamatu viivitusteta ja võimaluse korral 24 tunni jooksul pärast rikkumise avastamist. Kui järelevalveasutusele esitatakse teade hiljem kui 24 tunni jooksul, esitatakse teates selle kohta põhjendus.

el Σε περίπτωση παραβίασης δεδομένων προσωπικού χαρακτήρα, ο υπεύθυνος επεξεργασίας κοινοποιεί στην αρχή ελέγχου την παραβίαση δεδομένων προσωπικού χαρακτήρα αμελλητί και, ει δυνατόν, το αργότερο εντός 24 ωρών από τη στιγμή που την πληροφορείται. Η κοινοποίηση στην αρχή ελέγχου συνοδεύεται από αιτιολογία στις περιπτώσεις στις οποίες δεν πραγματοποιείται εντός 24 ωρών.

bg В случай на нарушение на сигурността на личните данни администраторът, без излишно забавяне и, когато това е осъществимо, не по-късно от 24 часа след установяването на такова нарушение, уведомява надзорния орган за нарушението на сигурността на личните данни. Уведомлението до надзорния орган се придружава от мотивирана обосновка в случаите, когато то не е подадено в срок от 24 часа.

hu Az adatkezelő a személyes adatok megsértése esetén indokolatlan késedelem nélkül, amennyiben lehetséges a személyes adatok megsértéséről való tudomásszerzéstől számított 24 órán belül értesíti a felügyelő hatóságot a személyes adatok megsértéséről. A felügyelő hatóság értesítését írásbeli indokolással kell ellátni, amennyiben arra nem 24 órán belül került sor.

mt Fil-każ ta’ ksur ta’ dejta personali, il-kontrollur għandu mingħajr dewmien bla bżonn u, fejn possibbli, mhux aktar tard minn 24 siegħa wara li jkun sar jaf bih, jinnotifika l-ksur tad-dejta personali lill-awtorità ta’ superviżjoni. In-notifika lill-awtorità ta’ superviżjoni għandha tkun akkumpanjata b’ġustifikazzjoni motivata f’każijiet fejn ma ssirx fi żmien 24 siegħa.

lv Personas datu aizsardzības pārkāpuma gadījumā pārzinis bez nepamatotas kavēšanās un, ja tas iespējams, ne vēlāk kā 24 stundās no brīža, kad tas kļuvis zināms, paziņo uzraudzības iestādei par personas datu aizsardzības pārkāpumu. Paziņojumam uzraudzības iestādei pievieno pamatotu paskaidrojumu, ja paziņošana nav notikusi 24 stundu laikā.

ro În cazul în care are loc o încălcare a securității datelor cu caracter personal, operatorul notifică acest lucru autorității de supraveghere fără întârzieri nejustificate și, în cazul în care este posibil, în termen de cel mult 24 de ore de la data la care a luat cunoștință de aceasta. Notificarea autorității de supraveghere trebuie să fie însoțită de o explicație motivată în cazul în care aceasta nu are loc în termen de 24 de ore.

sk V prípade, že dôjde k porušeniu ochrany osobných údajov, prevádzkovateľ bez zbytočného odkladu a podľa možnosti najneskôr do 24 hodín po tom, čo sa o tejto skutočnosti dozvedel, oznámi porušenie ochrany osobných údajov dozornému orgánu. K oznámeniu dozornému orgánu sa pripája náležité zdôvodnenie, ak oznámenie nebolo predložené do 24 hodín.

sl Upravljavec v primeru kršitve varnosti osebnih podatkov o kršitvi nemudoma, po možnosti najpozneje v 24 urah po odkritju kršitve, obvesti nadzorni organ. Upravljavec nadzornemu organu predloži primerno utemeljitev v primerih, kadar nadzorni organ ni bil obveščen v 24 urah.

fi Jos tapahtuu henkilötietojen tietoturvaloukkaus, rekisterinpitäjän on ilmoitettava siitä valvontaviranomaiselle ilman aiheetonta viivytystä ja mahdollisuuksien mukaan 24 tunnin kuluessa sen ilmitulosta. Jos ilmoitusta ei anneta 24 tunnin kuluessa, rekisterinpitäjän on toimitettava valvontaviranomaiselle perusteltu selitys.

pl W przypadku naruszenia ochrony danych osobowych, administrator zgłasza organowi nadzorczemu takie naruszeniu bez nieuzasadnionej zwłoki i jeśli jest to możliwe, nie później niż w ciągu 24 godzin od momentu dowiedzenia się o tym naruszeniu. Jeśli organ nadzorczy nie zostanie zawiadomiony w ciągu 24 godzin, do zgłoszenia należy dołączyć umotywowane wyjaśnienie.

lt Asmens duomenų saugumo pažeidimo atveju duomenų valdytojas, nepagrįstai nedelsdamas, jei įmanoma per 24 valandas nuo tada, kai sužino apie asmens duomenų saugumo pažeidimą, praneša apie jį priežiūros institucijai. Jeigu priežiūros institucijai apie asmens duomenų saugumo pažeidimą nepranešama per 24 valandas, prie pranešimo pridedamas motyvuotas paaiškinimas.

nl In geval van een inbreuk in verband met persoonsgegevens meldt de voor de verwerking verantwoordelijke de toezichthoudende autoriteit deze inbreuk zonder onnodige vertraging en zo mogelijk niet later dan 24 uur nadat hij ervan kennis heeft gekregen. Wanneer de melding aan de toezichthoudende autoriteit niet binnen 24 plaatsvindt, gaat deze vergezeld van een motivering.

sv Vid ett personuppgiftsbrott ska den registeransvarige utan onödigt dröjsmål och, om så är möjligt, inte senare än 24 timmar efter att ha fått vetskap om det, anmäla personuppgiftsbrottet till tillsynsmyndigheten. Om anmälan till tillsynsmyndigheten inte görs inom 24 timmar ska den åtföljas av en utförlig motivering.

Amendments

imco Amendment #

1. In the case of a significant personal data breach, the controller shall without undue delay and, where feasible, not later than 24 hours after having become aware of it, notify the personal data breach to the supervisory authority. The notification to the supervisory authority Data breach shall be accompanied by a reasoned justification in cases where it is not made within 24 hours.considered significant if it could adversely affect privacy of the data subject.
Rafał Trzaskowski pl EPP

imco Amendment #

1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 24 hours after having become aware of it, notify the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours.
Matteo Salvini it EFD

imco Amendment #

1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 24 hours after having become aware of it which will have significant risk of harm to citizens, the controller shall without undue delay, notify the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours.
Morten Løkkegaard dk ALDE

imco Amendment #

1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 2472 hours after having become aware of it, notify the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours.72 hours.
Christian Engström se Greens/EFA

imco Amendment #

1. In the case of a personal data breach which significantly affects the data subject, the controller shall, without undue delay and, where feasible, not later than 24 hours after having become aware of it, notify the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours.
Andreas Schwab de EPP
Rafał Trzaskowski pl EPP

imco Amendment #

1. In the case of a 1. When the personal data breach is likely to have a serious adverse effect on the protection of the personal data breachor privacy of the data subject, the controller shall without undue delay and, where feasible, not later than 24 hours after having become aware of it, notify the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours.
Philippe Juvin fr EPP

imco Amendment #

1. In the case of a personal data breach, the controller shall, without undue delay and, where feasible, not later than 24 hours after having become aware of it, , notify the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours.
Malcolm Harbour uk ECR
Adam Bielan pl ECR

juri Amendment #

1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 24 hours after having become aware of it, such as to constitute a serious risk to personal data privacy, the controller shall without undue delay notify the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours.
Antonio López-Istúriz White es EPP

juri Amendment #

1. In the case of a personal data breach, the controller shall, without undue delay and, where feasible, not later than 24 hours after having become aware of it, , notify the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours.
Sajjad Karim uk ECR

juri Amendment #

1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 2472 hours after having become aware of it, notify the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours.72 hours.
Eva Lichtenberger at Greens/EFA

juri Amendment #

1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 2472 hours after having become aware of it, notify the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours.72 hours.
Françoise Castex fr S&D

itre Amendment #

1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 2472 hours after having become aware of it, notify the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours.72 hours.
Silvia-Adriana Ţicău ro S&D

itre Amendment #

1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 24 hours after having become aware of it, when the breach is likely to produce legal effects to the detriment of the data subject's privacy, the controller shall without undue delay notify the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours.
Adina-Ioana Vălean ro ALDE
Jürgen Creutzmann de ALDE

itre Amendment #

1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 2472 hours after having become aware of it, notify the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours.72 hours.
Ivailo Kalfin bg S&D

itre Amendment #

1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 24 hours after having become aware of it, that will have significant risk of harm to citizens, the controller shall without undue delay notify the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours.
Jens Rohde dk ALDE
Adina-Ioana Vălean ro ALDE

Lobby Proposals

Proposal by American Chamber of Commerce

1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 24 hours after having become aware of it, notify the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours. that is likely to lead to significant risk of substantial harm to a data subject, the controller shall without undue delay after having confirmed that a personal breach has occurred, notify the personal data breach to its lead supervisory authority.

Proposal by American Chamber of Commerce

1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 24 hours after having become aware of it, that is likely to lead to significant risk of substantial harm to a data subject, the controller shall without undue delay notify the personal data breach to the supervisory authority. The notification to the its lead supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours..

Proposal by European Banking Federation

1. In the case of a any significantly harmful personal data breach, the controller shall without undue delay and, where feasible, not later than 24 hours after having become aware of it, notify the notify the personal data breach to the supervisory authority within a reasonable time. A significantly harmful personal data breach shall be determined by the controller, who can be assisted by the data protection officer, based on factors including the assessment of whether a personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours.has created serious breaches for a significant number of data subjects. Exemptions from data breach provisions should be awarded where sophisticated encryption is used or if measures are taken to adequately compensate those affected.

Proposal by eurofinas

1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 24 hours after having become aware of it, which is likely to substantially adversely affect the personal data or privacy of the data subject, the controller shall notify the personal data breach to the supervisory authority within a reasonable period of time. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours.a reasonable period of time. For regulated activities, where a duty already exists to notify a personal data breach to sectoral supervisory authorities, the latter shall communicate the personal data breach to the data protection supervisory authority.

Proposal by Microsoft

1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 24 hours after having become aware of it, that is likely to lead to significant risk of substantial harm to a data subject, the controller shall without undue delay notify the personal data breach to the supervisory authority. The notification to the its competent supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours..

Proposal by European Digital Rights

1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 2472 hours after having become aware of it, notify the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours.72 hours.