Personal data breaches

←→ Navigate · Click subsection badges to collapse · Press ? for help

In the case of a personal data breach, the data controller shall, without undue delay, but no longer than five days after the data controller should, with the exercise of reasonable diligence, have been aware of that breach, notify the data subject of the data in question and the Commissioner of that personal data breach, describing —

the nature of the breach;

the consequences of the breach;

the measures proposed or taken by the data controller to address the breach;

the measures recommended by the data controller to the data subject of the personal data in question to mitigate the possible adverse effects of the breach.

A data controller who contravenes subsection (1) commits an offence and is liable on conviction to a fine of one hundred thousand dollars.

Referenced By

Section 57 — General provisions relating to offences
Reference to an offence under section 16

Data Protection Law

7 Parts

s.16Personal data breaches— Data Protection Law, 2017

Section 16Part 3 — RESTRICTED PROCESSING AND PERSONAL DATA BREACHES