(1) In the case of a personal data breach, the controller shall notify the Federal Commissioner without delay and, if possible, not later than 72 hours after having become aware of it, of the personal data breach, unless the personal data breach is unlikely to result in a risk to the legally protected interests of natural persons. If the Federal Commissioner is not notified within 72 hours, the notification shall be accompanied by reasons for the delay.
(2) A processor shall notify the controller of a personal data breach without delay.
(3) The notification referred to in subsection 1 shall include at least the following information:
- a description of the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- the name and contact details of the data protection officer or other contact point where more information can be obtained;
- a description of the likely consequences of the personal data breach; and
- a description of the measures taken or proposed by the controller to address the personal data breach, including measures to mitigate its possible adverse effects.
(4) If it is not possible to provide the information pursuant to subsection 3 with the notification, the controller shall provide this information as soon as it is available.
(5) The controller shall document any personal data breaches. This documentation shall include all the facts relating to the personal data breach, its effects and the remedial action taken.
(6) If the personal data breach involves personal data that have been transmitted by or to a controller in another Member State of the European Union, the information referred to in subsection 3 shall be communicated to the controller in that Member State without delay.
(7) Section 42 (4) shall apply accordingly.
(8) Additional obligations of the controller regarding notifications of personal data breaches shall remain unaffected.