The European Data Protection Board Published a New Guide on the Notification of Security Incidents

The European Data Protection Board has published its final version of Guide No. 1/2021 on the notification of security incidents.

The Guide narrates 18 cases that work as examples for determining when to notify a security incident to the controlling authority and/or to the data subjects affected by such incident. In addition, the Guide recommends what measures to adopt in case there is a security incident of the same or similar characteristics of the cases described.

Although the Argentine Personal Data Protection Law No. 25,326 does not foresee an express obligation to notify the controlling authority and/or data subjects of the occurrence of a security incident, the Agency of Access to Public Information (“DPA”) does recommend notifying them in different decisions and regulations.

For instance, while Regulation No. 47/2018 recommends notifying the DPA about the existence of a security incident, Regulation No. 332/2020 also suggests providing notice to the data subjects.

Even though the Guide is not directly applicable to Argentine data controllers, data controllers can use it to determine in which cases a notification might be necessary.