Data Breach Notification Period
Pursuant to Article 33 para. 1 of the General Data Protection Regulation (GDPR), the controller must notify the competent supervisory authority of a personal data breach without undue delay and, if possible, within 72 hours of becoming aware of it. But how is the data breach notification period calculated?
Applicable Standards
First of all, it should be noted that the standards for calculating deadlines known from German law (in particular Sections 186 et seq. of the German Civil Code) are not applicable to the European regulation. There is also no regulation within the GDPR that declares national regulations on the calculation of time limits to be applicable.
According to the prevailing view, the calculation of the notification period for data protection breaches specified in Article 33 para.1 of the GDPR, must be based on the EU regulation (EEC, EURATOM) No. 1182/71 (Counter opinion: Träger, RDV 2020, 3 et seq. who considers the EU regulation No. 1182/71 to be inapplicable). The EU regulation No. 1182/71 applies to legal acts adopted by the Council and the Commission on the basis of the Treaty establishing the European Economic Community (Article 1 of the EU regulation No. 1182/71). The Treaty establishing the European Economic Community is the predecessor of the Treaty on the Functioning of the European Union, on which the General Data Protection Regulation – a Regulation of the European Parliament and of the Council – is based.
Calculation of the Deadline
The concrete calculation of the 72-hour data breach notification period is governed by Art. 2 et seq. EU regulation No. 1182/71. Thus, Art. 3 para. 1 subpara. 1 of the EU regulation No. 1182/71 stipulates that the point in time at which an event occurs or an action is taken is decisive for the beginning of a time limit measured in hours, as is the case here.
The starting point is therefore when the data protection violation becomes known to the data controller. In principle, a data breach is known when the data controller is sufficiently certain that a security incident has occurred which has led to an impairment of the protection of personal data. The data controller first has the opportunity to clarify the facts and to check whether there is a high probability of a breach on the basis of factual indications (see Laue/Kremer, Das neue Datenschutzrecht in der betrieblichen Praxis, §7, No. 47). Only after this determination does the data breach notification period begin.
When determining the start of the data breach notification period, care must be taken to ensure that the hour in which the event or action – that is becoming known – occurs is not included. I.e., if the controller becomes aware of a data breach at 3:45 p.m. on a Friday, for example, the 72-hour period does not begin to run until 4:00 p.m. on the same day.
For the purpose of calculating the end of the 72-hour period, Article 3 para. 2 (a) of the EU regulation No. 1182/71 provides that it ends “with the expiry of the last hour of the period.” In contrast to the German time limit regulations (cf. Section 193 German Civil Code), the 72-hour period can also end on a public holiday, Sunday or Saturday.
Because Art. 3 para. 4 subpara. 1 of the EU regulation No. 1182/71 does not apply to deadlines that are measured in hours, the deadline is not (!) extended to the next working day. According to Art. 2 para. 2 of the EU regulation No. 1182/71, a working day is a day that is not a holiday, Sunday or Saturday.
Accordingly, if the controller becomes aware of a violation on a Wednesday at 4:45 p.m., the 72-hour period for reporting to the supervisory authority ends on Saturday at 5:00 p.m.
Problem: Extension of the Time Limit in Art. 3 para. 5 of the EU regulation No. 1182/71
There is currently disagreement on the question of whether Art. 3 para. 5 of the EU regulation No. 1182/71 can lead to an extension of the 72-hour deadline if there are less than two full working days between the start and end of the deadline. The Bavarian State Commissioner for Data Protection has expressed a negative opinion in this regard in its orientation guide of 01.06.2019.
"Any period of two days or more shall include at least two working days.”
If, for example, the deadline begins on a Friday at 5:00 p.m., the application of Art. 3 para. 5 EU regulation No. 1182/71 would result in a deadline ending on Tuesday at 5:00 p.m. If Art. 3 para. 5 of the Regulation is not applicable, the deadline would end on Monday at 5:00 p.m.
The Bavarian State Representative justifies the non-applicability of the above mentioned Art. 3 para. 5 of the EU regulation No. 1182/71 with the wording of Art. 3 para. 5 of the same regulation. This presupposes a “period of two days or more” and thus exclusively a time limit measured in days and not in hours.
However, this view is not convincing
In contrast to the previous paragraphs of Art. 3, there is no differentiation according to the type of period in Art. 3 para. 5 of the regulation. Accordingly, it does not matter whether these periods are measured “in hours” (Art. 3 para. 2a), “in days” (Art. 3 para. 2b), “in weeks, months or years” (Art. 3 para. 2c) or in “parts of months” (Art. 3 para. 2d). Instead, according to the wording of Art. 3 para. 5 of the Regulation on time limits, it is precisely “any time limit…” that is covered by the time limit extension, hence the 72-hour time limit is relevant here as well.
As a result, all time limits, including the 72-hour data breach notification period, that exceed two days (48 hours) must therefore (also) comprise at least two working days (see also Piltz/Pradel, ZD 2019, 152).
In the example given, where the start of the deadline is on a Friday at 5:00 p.m., pursuant to Art. 3 para. 5 of the EU regulation No. 1182/71, the end of the deadline therefore does not occur until Tuesday at 5:00 p.m. This is a significant difference from the point of view of an affected company, since a late report is in principle conduct that is subject to a fine.
Conclusion: Taking the “Safest Route”
Companies must first be prepared for the fact that in contrast to local deadline regulations (such as in Germany), the deadline for reporting a data protection breach can also end on the weekend or on a public holiday. Appropriate organizational measures must be taken to ensure that it is also possible to report a data breach on these days in order to meet the deadline. In addition, the uncertainties described above regarding the question of whether there must be at least 2 working days within the deadline period (cf. Art. 3 para. 5 of the EU regulation No. 1182/71) must be taken into account. In view of the handling of the calculation of deadlines by the Bavarian Data Protection Authority, it is generally recommended to take the safest route. Thus, as a precaution, a data breach notification should be made in such a way that the deadline is met, even taking into account the practice of the Bavarian Data Protection Authority.
We will help you to avoid reporting deadline violations in the future; please feel free to contact our consultants.