Report data breach.

A breach of security that accidentally or unlawfully leads to unauthorized or unintended access to personal data. This includes the destruction, the loss, the change or the disclosure of the data.

There are three types of personal data breaches:

• Confidentiality: unauthorized or unintentional disclosure of or access to personal data;
• Integrity: unauthorized or unintentional change of personal data;
• Availability: unauthorized or accidental loss of access to or destruction of personal data.

Examples of personal data breaches are:

• A lost USB stick;
• A stolen laptop
• An e-mail is sent with all e-mail addresses in the CC instead of the BCC;
• A hacker burglary;
• A malware infection;
• A calamity (such as a fire) in the data center.

Personal data is any data that can be used to identify a person. You can think of:

• Names and addresses
• Telephone numbers and e-mail addresses
• Login credentials
• Social security number
• Gender
• Special categories of personal data (e.g. race, ethnicity, religion, and health data)
• A combination of background information from respondents

Every breach of security must be registered internally. In case of doubt, act as if there is a serious personal data breach. Better safe than sorry!

A personal data breach must be reported to the supervisory authority within 72 hours. By reporting a personal data breach within 6 hours, Centerdata still has more than enough time to investigate the circumstances of the personal data breach.

If Centerdata has the role of processor, we can report the personal data breach to the controller in time.

Centerdata’s DPO examines the report and subsequently determines whether the controller, the supervisory authority and/or the data subjects must be informed. The DPO can also request additional information.

Employees, temporary staff, clients, research partners, and suppliers are expected to provide all information necessary to inform the right authorities and people.