The controller must communicate to the national authority and to the data subject the occurrence of a security incident that may create risk or relevant damage to the data subjects.
§1 The communication shall be done in a reasonable time period, as defined by the national authority, and shall contain, as a minimum:
I – a description of the nature of the affected personal data;
II – information on the data subjects involved;
III – an indication of the technical and security measures used to protect the data, subject to commercial and industrial secrecy;
IV – the risks related to the incident;
V – the reasons for delay, in cases in which communication was not immediate;
VI – the measures that were or will be adopted to reverse or mitigate the effects of the damage.
§2 The national authority shall verify the seriousness of the incident and may, if necessary to safeguard the data subjects’ rights, order the controller to adopt measures, such as:
I – broad disclosure of the event in communications media; and II – measures to reverse or mitigate the effects of the incident.
§3 When judging the severity of the incident, eventual demonstration that adequate technical measures were adopted to render the affected personal data unintelligible will be analysed, within the scope and the technical limits of the services, to third parties who were not authorised to access them.