The Spanish Data Protection Authority (hereinafter, the “SDPA”) published yesterday, 25 May 2021, the new version of its "Guide on Personal Data Breach Notification" ("Guide").
The Spanish supervisory authority had published the first version of the Guide in June 2018, the year in which the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”) started to be implemented.
The main purpose of the Guide is to provide data controllers with instructions on how to comply with their obligations to notify data breaches affecting personal data to the supervisory authorities (Article 33 of the GDPR) and, where appropriate, to those affected by the data breach (Article 34 of the GDPR).
The new version of the Guide includes the experience gathered since the implementation of the GDPR by the SDPA, other supervisory authorities and the European Data Protection Broad. Likewise, the new version of the Guide includes some clearer indications with respect to the previous version on the obligations of data controllers in this area. For example, the SDPA has clarified that the 72-hour deadline for notifying a data breach to the supervisory authority includes the hours elapsed during weekends and bank holidays.
