Personal Data Breach Notification Form

Fields marked with * are mandatory

0. Data Breach Notification

Type of notification: *

Choose the type of notification

Is this a bundled notification?

Yes No

Has a preliminary notification been submitted

Yes No

Insert the IDPC file reference number of previously notified breach:

(In case a preliminary notification has been submitted, key in the IDPC reference number provided in the breach notification acknowledgement email in the form CDP/DBN/[NUMBER]/[YEAR])

Date of previous notification:

(Date of the breach notification acknowledgement email)

1. Controllers established in the European Economic Area

Does this notification relate to a breach involving cross border processing?

(Cross-border processing means either: (a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or (b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State).

Yes No

Is this Office the organisation's lead supervisory authority (LSA)?

Yes No

Is this Office the local supervisory authority of the organisation's establishment concerned by the breach?

Yes No

Indicate the Lead Supervisory Authority *

Select from the List of Supervisory Authorities

Does the breach involve establishments located in other Member States?

Yes No

Choose the Member States where these establishments are located:

Select from the List of Member States

In which of these Member States data subjects are likely to have been affected by the breach?

Select from the List of Member States

Provide the number of affected data subjects for each Member State.

2. Controllers established outside the European Economic Area

Is this notification being submitted in line with the EDPB guidelines 3/2018 on the territorial scope of the GDPR (Article 3), and guidelines 9/2022 on personal data breach notification under GDPR - Version 2.0 – paragraph 2?

Yes No

Pursuant to which legal basis is this notification being submitted to this Office?

Enter the legal basis

Has the organisation appointed a representative in terms of Article 27 of the GDPR?

Yes No

Full name of the representative:

Contact person:

Address:

Email Address:

Phone number:

List of other Data Protection Authority or Authorities (DPA(s)) to which the breach has been or will be notified:

(Please note that the mere appointment of a representative in a Member State does not trigger the one-stop-shop system. For this reason the breach will need to be notified to every supervisory authority where affected data subjects reside)

Provide the number of affected data subjects per country as notified or as will be notify to the competent supervisory authority:

In this field the list of chosen SAs should appear with the possibility of adding a number to each line

Did any of the notified DPA(s) take any action so far?

Yes No

Provide a brief description of such action:

Click or tap here to enter text.

3. Organisation details

Organisation's officially registered number (if applicable):

Name of organisation:

Organisation's registered address:

Organisation's main establishment address:

(Main establishment means: (a)as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment)

Contact details of the organisation's legal representative:

Name:

Surname:

Email Address:

Phone number:

Address of the location from which they carry out their activities:

Is the organisation part of a group?

Yes No

Group details:

Name of the group:

Address:

Address of the establishment where the breach occurred:

Full name and contact details of the data protection officer or, if not appointed, of any other contact point within the organisation with whom this Office will engage in relation to the reported breach:

(Please note that the email address provided here below will be used to send the breach notification acknowledgment and any further communication related to the incident)

Name:

Surname:

Position/Role:

Email Address:

Confirm Email Address:

Phone number:

Address of the location from which they carry out their activities:

Reporting person contact details:

Name:

Surname:

Position/Role:

Email Address:

Confirm Email Address:

Phone number:

Address:

Number of employees of the organisation:

(When the organisation is part of a group of companies, indicate the total number of employees of the group)

4. Other entities involved

Are there any other entities involved

(e.g. joint controller, processor, sub-processor or separate controller)

Yes No

Provide copy of the data protection agreement/s ex Art 28 GDPR:

Click to Upload

Click to upload or drag and drop SVG, PNG, JPG or GIF (max. 08 MB)

Add Another Agreement:

Click to Upload

Click to upload or drag and drop SVG, PNG, JPG or GIF (max. 08 MB)

7. Summary of the incident that caused the personal data breach

Summary of the incident that caused the personal data breach:

Description of the systems, software, services and IT infrastructures involved in the breach, including their location:

8. Cause of breach

Internal non malicious Internal malicious External non malicious External malicious Unknown Other

Description of any other cause which led to the breach:

9. Type of compromised data

9.2 Special categories of data

Data revealing racial or ethnic origin Political opinions Religious or philosophical beliefs Trade union membership Sex life data Health data Genetic data Biometric data Not possible to determine for the time being

Provide more details about the selected categories of data that have been compromised:

Purpose for which the data have been processed:

13. Type of breach

Confidentiality (where there is an unauthorised or accidental disclosure of, or access to, personal data)

Integrity (where there is an unauthorised or accidental alteration of personal data)

Availability (where there is an accidental or unauthorised loss of access to, or destruction of, personal data and data are not made available)

14. Consequences

14.1 Breach of Confidentiality

The data involved in the breach was accessed by recipients other than authorised ones If the data was accessed by a third party, was there the consent of the data subject? Data may be linked to other information of the data subjects? The personal data may be further processed for other purposes different from the original one

Other confidentiality consequence/s:

14. Consequences

14.2 Breach of Integrity

Data may have been modified and used even though it is no longer valid Data may have been modified into otherwise valid data and subsequently used for other purposes

Other integrity consequence/s:

14. Consequences

14.3 Breach of Availability

Loss of the ability to provide a critical service to the affected data subjects Alteration of the ability to provide a critical service to the affected data

Other availability consequence/s:

15. Taking Action

15.1.1 Description of measures not to trigger the requirement to inform the data subjects

The controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it.

Tick the appropriate measures

Encryption, hashing or any other measures to make the data unintelligible or inaccessible to unauthorised persons Anonymisation Pseudonymisation

The controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise

Specify:

It would involve disproportionate effort to inform each data subject individually

Specify:

15. Taking Action

15.2 Measures taken to address the breach

Measures taken by the controller to address the breach:

16. Additional information

Has the breach been, or will it be notified, to Data Protection Authorities in third countries?

Yes No

List of the other third country data protection authorities to which the breach has been, or will be notified

Has the breach been, or will it be notified, to other EU regulators (not related to data protection), including other regulators in Malta, due to legal obligations deriving from other laws to which the organisation is subject?

Yes No

List of other EU regulators to which the breach has been, or will be notified

Thank You!

Your submission has been received successfully. We will review your request and get back to you as soon as possible.

Personal Data Breach Notification Form

0. Data Breach Notification

1. Controllers established in the European Economic Area

2. Controllers established outside the European Economic Area

3. Organisation details

Contact details of the organisation's legal representative:

Group details:

Full name and contact details of the data protection officer or, if not appointed, of any other contact point within the organisation with whom this Office will engage in relation to the reported breach:

Reporting person contact details:

4. Other entities involved

5. Timeline of the incident

6. Nature of incident

7. Summary of the incident that caused the personal data breach

8. Cause of breach

9. Type of compromised data

9.1 Regular data

9. Type of compromised data

9.2 Special categories of data

10. About the data subjects

11. About the measures in place BEFORE the breach

Policies, plans and frameworks in place at the time of the breach:

12. Employees training

13. Type of breach

14. Consequences

14.1 Breach of Confidentiality

14. Consequences

14.2 Breach of Integrity

14. Consequences

14.3 Breach of Availability

14. Consequences

14.4 Physical damage

15. Taking Action

15.1 Communication to the affected data subjects

15. Taking Action

15.1.1 Description of measures not to trigger the requirement to inform the data subjects

15. Taking Action

15.2 Measures taken to address the breach

16. Additional information

Thank You!