EDPB issues draft guidelines for data breach notifications


Further to the GDPR requirement for reporting personal data breaches to the competent data protection authority and, in certain cases, to affected individuals, the European Data Protection Board (EDPB) has released a draft of the new Guidelines on Examples regarding Data Breach Notification.

Open for public consultation until 2 March 2021, the Draft Guidelines are a practice-oriented, case-based guidance reflecting the common experiences of data protection authorities with the aim of helping organisations decide how to handle data breaches and the factors to consider during risk assessment.

The Draft Guidelines expand on the Guidelines on Personal Data Breach produced by the former Article 29 Working Party. The decision to update this document was made because the original guidelines did not address all practical issues in sufficient detail, making it necessary to draft a guidance that utilises the experiences gained by authorities since the enactment of the GDPR.

The Draft Guidelines list cases according to certain categories of breaches and provide examples such as the following:


  • Ransomware with proper backup and without exfiltration.

  • Ransomware without proper backup.

  • Ransomware with backup and without exfiltration in a hospital.

  • Ransomware without backup and with exfiltration.

Data exfiltration attacks:

  • Exfiltration of job application data from a website.

  • Exfiltration of hashed password from a website.

  • Credential stuffing attack on a banking website.

Internal human risk source:

  • Exfiltration of business data by a former employee.

  • Accidental transmission of data to a trusted third party.

Lost or stolen devices and paper documents

  • Stolen material storing encrypted personal data.

  • Stolen material storing non-encrypted personal data.

  • Stolen paper files with sensitive data.


  • Snail mail mistake.

  • Sensitive personal data sent by mail by mistake.

  • Personal data sent by mail by mistake.

Other cases – social engineering

  • Identity theft.

  • Email exfiltration.

The Draft Guidelines also includes proposals on prior procedures and risk assessment; mitigating actions; and organisational and technical measures for preventing or mitigating the impacts of a breach. Once the Draft Guidelines are finalised, organisations should revise and update their personal data-breach management procedures on the basis of the examples and recommendations provided by the EDPB.

For more information, contact your CMS partner or CMS experts.