Data Protector Breaches
Dear European Data Protection Supervisor,
Under the right of access to documents in the EU treaties, as developed in Regulation 1049/2001, I am requesting documents which contain the following information:
Please can you tell me:
1) What is the process for a member state to report a breach of an individual's data to your organisation
2) What is the guidance and legislation that your organisation gives to member states regarding data protection
3) Has your department ever communicated with the Computer Emergency Response Team regarding the development of safeguarding policies
Yours faithfully,
Jonathan Mantle
Dear Mr Mantle,
I am writing in reply to your email of 21 March 2015, to the European Data
Protection Supervisor (EDPS), regarding data breaches.
The EDPS is an independent authority that primarily deals with supervision
of the processing of personal data by the European Union's institutions
and bodies. We also advise them on new EU legislative proposals and
initiatives relating to the protection of personal data, and we cooperate
with relevant actors in the field. We are therefore only competent to deal
with data protection matters relating to the EU institutions and bodies
and do not give guidance to nor receive breach reports from Member States.
The competent authority is the respective national data protection
authority (DPA) of a specific Member State. I would therefore advise you
to contact each individual national DPA in which you are interested in
order to determine their policies for the reporting of data breaches. You
can find the contact details of all EU DPAs using the following link:
In response to your question concerning the Computer Emergency Response
Team, I can inform you that the EU institutions operate their own Computer
Emergency Response Team, which is called CERT-EU
([2] The EDPS cooperates regularly with CERT-EU, in
particular on issues concerning security and data protection.
Kind regards,
[3]cid:image001.png@01D17EDD.A071CDA0 Courtenay Mitchell
Information and Communication
' (+32) 228 319 00 | Fax +32 2
283 19 50
[4]Email [5][EDPS request email]
European Data Protection Supervisor
Postal address: Rue Wiertz 60,
B-1047 Brussels
Office address: Rue Montoyer 30,
B-1000 Brussels
[6]Twitter [7]@EU_EDPS
[8]Website [9]
This email (and any attachment) may contain information that is internal
or confidential. Unauthorised access, use or other processing is not
permitted. If you are not the intended recipient please inform the sender
by reply and then delete all copies. Emails are not secure as they can be
intercepted, amended, and infected with viruses. The EDPS therefore cannot
guarantee the security of correspondence by email.
According to Articles 11 and 12 of Regulation (EC) 45/2001 on the
protection of individuals with regard to the processing of personal data
by the Community institutions and bodies and on the free movement of such
data, please be informed that your personal data (your contact details)
are processed by the EDPS, when proportionate and necessary, for the
purpose of handling your request. The legal base for this processing
operation is Article5(a). of Regulation (EC) 45/2001, the provisions on
the tasks and duties of the EDPS in the same Regulation and Article 52 of
the EDPS Rules of Procedure. Of course all is also based on your consent.
The data processed are submitted by yourself. Your data might be
transferred to other EU institutions and bodies or to any third parties
only where necessary to ensure the appropriate handling of your request.
Your data will be stored by the EDPS in electronic and paper files for a
maximum of ten years. You have the right of access to the personal data we
hold regarding you and to rectify it if necessary. Any such request should
be addressed to the EDPS at [10][EDPS request email]. Further rules on
exercising your rights can be found in Art. 13 of the EDPS implementing
rules concerning the Data Protection Officer:
You can also lodge an appeal to the EDPS as supervisory authority under
article 11(f)(iii). In this case the EDPS will make sure that a different
department than that acting as controller would be in charge of your