GDPR Breach Definition: What Constitutes a Data Breach Under the General Data Protection Regulation

The General Data Protection Regulation (GDPR) is a set of rules designed to protect the personal data of individuals within the European Union (EU). A data breach occurs when personal data is accessed, disclosed, or destroyed without the consent of the data subject. In this article, we will explore what constitutes a breach of the GDPR.

According to Article 4(12) of the GDPR, a personal data breach is defined as:

“A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed”

This definition encompasses a wide range of scenarios, including:

• The accidental deletion of personal data
• The loss of a device containing personal data
• The unauthorized access to personal data by a third party
• The alteration of personal data without consent
• The destruction of personal data without consent

In addition to these scenarios, a data breach can also occur when personal data is:

• Transmitted to an unauthorized recipient
• Stored in an insecure manner
• Processed in a way that is not authorized by the data subject

It is important to note that a data breach does not necessarily mean that the personal data has been compromised. For example, if a device containing personal data is lost, but the data is encrypted and cannot be accessed, this would not be considered a breach.

However, if the device is not encrypted and the personal data can be accessed, this would be considered a breach. Similarly, if personal data is transmitted to an unauthorized recipient, this would also be considered a breach.

In conclusion, a data breach under the GDPR occurs when personal data is accessed, disclosed, or destroyed without the consent of the data subject. It is important for organizations to take steps to prevent data breaches and to respond quickly and effectively if a breach does occur.