Updated guidelines regarding breaches of data security
Earlier this year, the Danish Data Protection Agency updated its guidance on handling personal data breaches. The guidelines include an updated section on breach notifications and new examples of what a breach is.
Companies that are data controllers are responsible for reporting data breaches to the Data Protection Agency. This applies unless it is unlikely that the breach entails a risk to the rights of those affected. Besides the duty to report to the Data Protection Agency, affected individuals must also be informed if the breach poses a high risk to them.
That means that it is crucial that companies can recognise data breaches in practice. But what is a breach? A breach is defined as the accidental or illegal destruction, loss, change, unauthorised forwarding of, or access to personal data.
In practice, breaches can take various forms. Types of data breaches we frequently see include:
- An employee illegally or accidentally discloses information
- An employee loses or has a USB or computer stolen
- An employee forgets to protect data from unauthorised access
- A company suffers a ransomware attack or other hacking incident
- A company fails to delete data in its internal systems
- A company provides overly broad access to data on network drives
When a breach occurs, there is a deadline for reporting it. Companies must report the breach to the Data Protection Agency without undue delay, and no later than 72 hours after becoming aware of it. If more than 72 hours pass, companies must justify the delay.
IUNO's opinion
Design, default settings, and good routines are essential to ensure an adequate level of security. Regardless of the security level, companies should have a plan for handling breaches. It is a good idea to describe how the Data Protection Agency will be informed, and what information needs to be prepared prior to notification.
IUNO recommends that companies designate one or more employees to report data breaches. It is a good idea to assign employees who are already involved in compliance work. Alternatively, data processors can also submit breach notifications on behalf of data controllers. However, delegation does not change the fact that the overall responsibility lies with the data controller.
We have previously written about how open personnel files resulted in a data breach here.
[The Danish Data Protection Agency’s guidance “Handling Personal Data Breaches,” May 2025]
Companies that are data controllers are responsible for reporting data breaches to the Data Protection Agency. This applies unless it is unlikely that the breach entails a risk to the rights of those affected. Besides the duty to report to the Data Protection Agency, affected individuals must also be informed if the breach poses a high risk to them.
That means that it is crucial that companies can recognise data breaches in practice. But what is a breach? A breach is defined as the accidental or illegal destruction, loss, change, unauthorised forwarding of, or access to personal data.
In practice, breaches can take various forms. Types of data breaches we frequently see include:
- An employee illegally or accidentally discloses information
- An employee loses or has a USB or computer stolen
- An employee forgets to protect data from unauthorised access
- A company suffers a ransomware attack or other hacking incident
- A company fails to delete data in its internal systems
- A company provides overly broad access to data on network drives
When a breach occurs, there is a deadline for reporting it. Companies must report the breach to the Data Protection Agency without undue delay, and no later than 72 hours after becoming aware of it. If more than 72 hours pass, companies must justify the delay.
IUNO's opinion
Design, default settings, and good routines are essential to ensure an adequate level of security. Regardless of the security level, companies should have a plan for handling breaches. It is a good idea to describe how the Data Protection Agency will be informed, and what information needs to be prepared prior to notification.
IUNO recommends that companies designate one or more employees to report data breaches. It is a good idea to assign employees who are already involved in compliance work. Alternatively, data processors can also submit breach notifications on behalf of data controllers. However, delegation does not change the fact that the overall responsibility lies with the data controller.
We have previously written about how open personnel files resulted in a data breach here.
[The Danish Data Protection Agency’s guidance “Handling Personal Data Breaches,” May 2025]
Similar
New rules on CCTV monitoring
The new NIS 2 Act has entered into force
New draft bill to protect against misuse of deepfakes
New rules on responsible use of AI have entered into force
Simplification of record-keeping obligations under the GDPR is on the way
Draft bill to ensure responsible use of AI