This post is also available in: Español

Today, April 2, 2020, the Spanish Data Protection Agency (“AEPD”) stated in its blog that the 72-hour period to notify the AEPD of a security breach, established in Article 33 of the General Data Protection Regulation, remains in effect and is not affected by the suspension of administrative periods established in additional provision three of Royal Decree 463/2020, of March 14, declaring the state of emergency to manage the public health crisis caused by COVID-19.

However, the AEPD also states that, if all the necessary information is not available, initial notification can be given in the established period, subsequently expanding it with an additional notification when this information is available.

The interested parties must also be notified as soon as possible if the security breach involves a high risk to their rights and freedoms.   

According to the AEPD, this is due to the need, at this time of particular vulnerability, to be aware of incidents, so it can provide information to citizens and the competent authorities to help them take the necessary protection measures. 

The notice can be submitted electronically through the AEPD’s electronic office and, therefore, from home.

By: Alejandro Negro and Adaya Esteban

This post is also available in: Español



38 artículos

Alejandro Negro



39 artículos