Categories: Insights, Practice

Tag: Data Breach


2 Sep 2019

The form for notifying the Data Breach is ready

With Regulation 157 of 30 July 2019, which fully replaces all previous measures on the subject, the Guarantor for the Protection of Personal Data has provided the form for reporting computer incidents. Data Breach Pursuant to Article 33, paragraph 1, of the EU Regulation 2016/679 on the protection of personal data (the “GDPR“), the Data Controller is obliged, without undue delay and, where possible, within 72 hours of becoming aware of it, to notify the breach to the Supervisory Authority unless the breach of personal data is unlikely to pose a risk to the rights and freedom of individuals. In addition, the Data Controller who becomes aware of a possible violation is obliged to inform the owner in a timely manner so that he can take action. Notifications to the Guarantor made after the 72-hour period must be accompanied by the reasons for the delay. Furthermore, if the breach involves a high risk to the rights of the individuals, the holder must communicate it to all the persons concerned, using the most appropriate channels, unless he has already taken measures to reduce its impact. The Data Controller, regardless of the notification to the Guarantor, documents all breaches of personal data, for example by preparing a special register. This documentation allows the Control Authority to carry out any audits on the compliance with the regulations. Content of the notification to the Guarantor Pursuant to Article 33, paragraph 3, of the GDPR, the notification to the Guarantor must include the following information:
  • describe the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of records of the personal data concerned;
  • indicate the name and contact details of the Data Protection Officer (DPO) or other point of contact from whom more information can be obtained;
  • describe the likely consequences of the personal data breach;
  • describe the measures taken or proposed by the controller to remedy the personal data breach and also, where appropriate, to mitigate its possible adverse effects.
The above information is given in the form attached to the Regulation of 30 July 2019. Notification must be made via PEC to the following address  protocollo@pec.gpdp.it and must be digitally signed or signed by hand. In the latter case, the notification must be submitted together with a copy of the signatory’s identity document. The subject of the message must contain the words “NOTIFICATION OF VIOLATION OF PERSONAL DATA” and, optionally, the name of the data controller. In the event of a breach of the notification procedures, a financial penalty of up to €10 million or, in the case of companies, up to 2% of the total global annual turnover is applied.
Subscribe to our newsletter

Contact

Need information? Write to us and our team of experts will respond as soon as possible.

Fill in the form

More news and insights

8 Jul 2026

Pay transparency: one month after its entry into force, two approaches are emerging in the market (The Platform, 8 July 2026 – Vittorio De Luca, Claudia Cerbone e Martina De Angeli)

Since 7 June, EU rules aimed at strengthening the principle of equal pay between men and women for the same work or for work of equal value have…

2 Jul 2026

Did you know…? As of 7 June 2026, Legislative Decree No. 96/2026 is fully in force

As of 7 June 2026, Legislative Decree No. 96/2026 is fully in force. It also introduces into the Italian legal system a structured framework on pay transparency, with…

2 Jul 2026

Failure to serve disciplinary charges does not render the dismissal null and void: italian supreme court confirms no reinstatement remedy for employers below the statutory workforce threshold

Principle of Law In its recent judgment No. 17283 of 1 June 2026, the Italian Supreme Court (Corte di Cassazione) examined the legal consequences arising from the employer's…

2 Jul 2026

AI and the employment relationship: initial guidance from the implementing decrees and data protection implications

Following the preliminary approval by the Council of Ministers, on 10 June 2026, of the first draft legislative decrees implementing the enabling law on artificial intelligence (Law No.…

1 Jul 2026

Sustainability, Responsibility, and the Future: A Commitment That Grows with Time

As we celebrate our 50th anniversary, we have chosen to look to the future with the same care and dedication with which we preserve our roots. Those roots…

25 Jun 2026

Pay Equity and Pay Transparency: What Will Change in Italy (People are People, 25 June 2026 – Claudia Cerbone e Martina De Angeli)

With Legislative Decree No. 96 of 7 May 2026, which entered into force on 7 June 2026, Italy transposed Directive (EU) 2023/970 on pay transparency, becoming one of…