Following public consultation, the EDPB adopted a final version of the Guidelines on examples regarding data breach notifications. These guidelines complement the Article 29 Working Party guidance on data breach notification by introducing more practice orientated guidance and recommendations. They aim to help data controllers respond to personal data breaches and comply with their notification obligations under the GDPR.

Breaches should be notified when the data controller is of the opinion that it is likely to result in a risk to the rights and freedoms of the data subject, and the guidelines provide case studies to help data controllers and processors perform a risk assessment when they become aware of the breach.

Case studies include incidents involving ransomware attacks, data exfiltration attacks, human error and lost devices and documents. The scenarios and recommended steps to be followed are based on the collected experiences of various EEA supervisory authorities amidst a rising volume of cyber-attacks and other data breach incidents.