Data Breach
A data breach is a security breach that leads to the destruction, loss, or alteration of personal data or to the unauthorised disclosure of or access to personal data. In case of the MPI, that personal data can concern your own personal data, as well as that of colleagues, external, and participants.
Examples:
- Loss/theft of an external hard drive (USB stick, SSD cards, etc.) with work-related information
- Loss/theft of PC/laptop/phone with work-related information
- Being hacked
- Phishing mail attack
- Writing down passwords, losing them
- Not using bcc in an open email list
- Etc.
Why report this?
As a company, we are legally obliged to report data breaches to the authorities within 72 hours of the breach. If we de not report, there is a high risk of being fined.
If you suspect a data breach, we need to run an internal assessment to determine whether the violation is likely to pose a risk to the rights and freedoms of the data subjects. If a risk is diagnosed, it must be reported to the supervisory authority. If the risk for the rights and freedoms of the data subjects is high and if none of the legally standard exceptions apply, the data subjects must also be informed.
What to do?
According to the law, data breaches have to be reported to the authorities within a limited amount of time. In case of a breach (even if you are not sure!) contact data-breach@mpg.de and privacy@mpi.nl right away (within 72 hours of the breach!).
It will help if you already fill in he data breach notification form (however, if you do not have all the information yet or do not know how to fill it in, please contact the data breach team and privacy@mpi.nl anyway, right away).