The WP 29 adopted its guidelines on the obligation to notify personal data breaches under Articles 33 and 34 of the GDPR.

In this paper, the WP 29 clarified the concept of data breach by distinguishing between three types of violation: breach of confidentiality, integrity and availability of data.

It also stated that the acknowledgment of the breach by the controller, constituting the starting point of the deadline for notification, implies “This may raise the question of when a controller can be considered to have become “aware” of a breach. WP29 considers that a controller should be regarded as having become “aware” when that controller has a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised”.

It also analysed the new role and the new obligations of the processor.

It indicated that penalties, limited to a threshold of 10 million euros or 2 % of the total worldwide annual turnover in the preceding financial year, can be increased if the authorities decide to also sanction the breaches of security obligations noted in cases of violation of data.