This post is also available in: esEspañol

On October 17, 2017,article 29 Data Protection Working Party published two sets of guidelines on personal data breach notifications (article 33 GDPR) and on automated individual decision-making and profiling (article 22 GDPR), whose contents we discuss below.

Guidelines on personal data breach notification

This set of guidelines defines a personal data breach based on three possibilities:

  • Confidentiality breach: unauthorized disclosure or access.
  • Availability breach: loss of access or destruction.
  • Integrity breach: unauthorized or accidental change.

The GDPR establishes that the data controller must notify of a personal data breach within 72 hours of discovering the breach. The guidelines state that that period begins when the data controller has a reasonable degree of certainty of the existence of a security problem.

In the event of a likely personal data breach, the notification must be made by the data controller to the competent control authority. However, it must only notify affected individuals when that probability is high, therefore, the WP29 underlines that the threshold for notifying individuals is higher.

Under the GDPR, if possible, this notification must include the affected categories and individuals, for which the WP29 stresses that the focus should be on the need to provide information on the existing risk; therefore, what is relevant is reporting on the factors determining the risk level, more than the exact numbers.

Guidelines on individual decision-making and profiling

The guidelines begin by establishing a difference between the two concepts. Individual automated decisions are understood to be the practice of making decisions through technological means, without human intervention. Profiling is defined as gathering information about individuals and analyzing their characteristics and behavior patterns to place them into a certain category or to make predictions or assessments about their ability to perform a task, their interests or their likely behavior.

According the GDPR, individuals are entitled to not be subject to exclusively automated decisions, including profiling, when these decisions (i) have legal effects, i.e., those that affect the rights of individuals, their legal status or their rights under a contract; or (ii) significantly affect individuals in similar ways, understood as decisions that can affect the individuals’ circumstances, behavior or choices.

However, there are exceptions to the prohibition on automated decisions. The necessary nature of the decision to conclude or execute a contract (22.2a GRPD), WP29 establishes that the need must be understood strictly, demonstrating that the profile is truly necessary and taking into account whether a less privacy-intrusive method could be adopted.

Lastly, with respect to the obligation to provide meaningful information about the logic of automated decision , the WP29 stresses that the controller must find simple ways to communicate to the data subject the criteria on which the decision is based without necessarily attempting a complex explanation of the algorithms used

Authors: Inés Cabañas and Alejandro Negro

This post is also available in: esEspañol



30 artículos

Alejandro Negro