Data Protection Act 2018

Communication of personal data breach to data subject

87. (1) Subject to subsections (2), (4) and (7), where a personal data breach occurs that is likely to result in a high risk to the rights and freedoms of a data subject, the controller shall, without undue delay, notify the data subject to whom the breach relates.

(2) Subsection (1) shall not apply where—

(a) the controller has implemented appropriate technological and organisational protection measures that were applied to the personal data affected by the personal data breach, in particular where the said measures, including encryption, render the personal data unintelligible to any person who is not authorised to access it, or

(b) the controller has taken measures in response to the personal data breach that ensure that the high risk to the rights and freedoms of a data subject from the breach is no longer likely to materialise.

(3) A notification under subsection (1) shall—

(a) describe, in clear and plain language, the nature of the personal data breach concerned, and

(b) contain at least the information specified in paragraphs (b) to (d) of section 86 (4).

(4) Where a notification under subsection (1) would involve a disproportionate effort, the controller shall notify the data subjects concerned of the personal data breach by way of public communication or other similar measure that ensures the data subjects are informed of the personal data breach in an equally effective manner.

(5) A notification under subsection (4) shall—

(a) describe, in clear and plain language, the nature of the personal data breach concerned, and

(b) contain such other information as is appropriate in all the circumstances.

(6) Where—

(a) a controller notifies the Commission under section 86 of a personal data breach, and

(b) the controller has not notified the data subject to whom the personal data relate under subsection (1) or (4), as the case may be, of the personal data breach,

the Commission may, having considered the likelihood of the data breach resulting in a high risk to the rights and freedoms of a data subject—

(i) require the controller to notify the data subject under subsection (1) or (4), as the case may be, or

(ii) determine that subsection (2) applies in relation to the personal data breach.

(7) A controller may, in relation to the exercise of the right of a data subject to be notified under subsection (1) of a personal data breach, restrict the exercise of the said right where to do so constitutes a necessary and proportionate measure in a democratic society, with due regard for the fundamental rights and legitimate interests of the data subject, for a purpose specified in section 94 (2).

(8) Where a controller restricts the exercise of the right of a data subject under subsection (7), subsections (5), (6) and (7) of section 94 shall apply in respect of the said restriction, with all necessary modifications.