According to Article 4 (12) of the GDPR, a personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Examples of a data breach:
- Data which should not be public have become public;
- Data have been accidentally deleted or are no longer accessible for the necessary operations, even if a back-up copy is restored;
- Unauthorised persons have accessed the data: for example, students are involved in the data analysis phase of the study, but no confidentiality agreement is signed with them beforehand;
- Written consent is sought for the study to process the data for a specific purpose, but the data are used for purposes unrelated to the study;
- Personal data are collected based on an opt-out mechanism, so the data subject must take steps to refuse the data collection.
A breach may harm an individual and their interests by causing physical, material or non-material damage. To avoid this, the university, as the data controller, must have a full overview and control over data processing.
3.5.1. Data breaches must be reported immediately
If a personal data breach occurs at the university, the university’s senior specialist for data protection (andmekaitse@ut.ee) must be informed immediately. Action should be taken as soon as possible, for example, to stop unauthorised access to or misuse of the data or other breaches. To prevent similar incidents in the future, it may also be necessary to report the incident to the IT helpdesk (arvutiabi@ut.ee).
The senior specialist for data protection must also be informed if there is only a suspicion of a breach – this will help to clarify the circumstances.
3.5.2. Be prepared to share information after a breach has been reported
Under Article 33 (5) of the GDPR, the university must document any personal data breaches, including the facts relating to the data breach, its effects and the remedial action taken. Therefore, an investigation will be launched after a breach, and if necessary, additional information will be gathered. People involved in the breach should be prepared to provide written explanations or the required materials to the data protection specialist.
Time should be taken to address the causes and consequences of the breach. It is very important to resolve the situation that has arisen (stop the data leak, inform the data subjects, assess what happened and why, determine how many people the data were disclosed to, review the whole process, etc.). This is all very time-consuming.
The university’s senior specialist for data protection will also inform the Data Protection Inspectorate about the breach, which in turn may open infringement proceedings against the university.
3.5.3. Possible consequences of the breach
Once the investigation into the breach is complete, solutions must be found to ensure that a similar incident does not happen again. These may include implementing additional protection measures, raising awareness, adjusting procedures, etc.
Under Article 82 (1) of the GDPR, anyone who has suffered material or non-material damage due to a personal data breach has the right to receive compensation from the controller or processor for the damage suffered. Chapter 6 of the Personal Data Protection Act lists the amounts of the fines that apply in case of a breach of the controller’s obligations. The Data Protection Inspectorate may impose a non-compliance levy upon failure to comply with a precept. The university may also hold an employee liable if it is found that the breach was due to the employee’s negligence.
In addition to the Personal Data Protection Act and the GDPR, sanctions for personal data breaches are also provided for in sections 157–1572 of the Penal Code. The Penal Code allows for the prosecution of the natural person who committed the offence, i.e. the specific university employee who is at fault for the breach.
Read more:
- University’s data protection guidelines
- University’s guidelines on cybersecurity
- Clauses 55–57 of chapter IX of the university’s Documentary procedure rules on the action in the case of non-compliance