Disclaimer

The new DPC website is currently under construction. Our latest guidance in relation to GDPR, which comes into effect on 25th May, 2018, can be found at gdprandyou.ie and via pages on this website starting with "NEW" as per the navigation pane on the left. All other material on this site relates to the previous legislative regime under the Data Protection Acts 1988-2003 ("the Acts"). While the Acts may continue to apply in some circumstances, as of 25th May, 2018 the GDPR is the primary piece of legislation governing data protection.

Data Protection Commission

Guidance on how to complete data breach notification form

This Form is in two sections. Section 1 covers the initial information which must be notified to this Office in respect of a data security breach, and Section 2 requests more detailed further information.

A first notification must be made to this Office on this form no later than 24 hours after the first detection of the data breach.

If you have all the information to hand at this stage, you may fill out both sections 1 and 2 of the form.

If you do not have all the necessary information to hand at the time of the first notification, a second notification must be made within 3 days of the first notification, on section 2 of the form. For security purposes, you will not be presented with the information previously supplied in Section 1. When submitting a second notification, please complete Questions 1-3 again and Questions 4-8 if there is any change to the information. If there is no change to your responses to questions 4 to 8 from your initial notification, simply enter "as initial notification".

If at the end of the 3 days, you still do not have all the information required, you must provide as much information as is available and contact the Data Breach Section of the Office of the Data Protection Commissioner to provide a reasoned justification for the late notification of the remaining information. The Breach section can be contacted on (057) 8684800.

SECTION 1

Information in this section is for an initial notification. Preliminary information is sufficient for answers in this section.

Questions 1 and 2

Please provide name of the provider and contact details as indicated.

Question 3

Please indicate whether or not you are making a first or second notification.

You will receive a reference number from this Office when you make your first notification. If you are subsequently making a second notification, please include the reference number here.

Question 4

Please indicate both the date and time when the incident took place and the date and time when the incident was detected by the provider.

Question 5

Please indicate the circumstances surrounding the breach.

Question 6

Please indicate the nature and content of the personal data

Question 7

Please indicate the technical and organisational measures you are applying to secure the affected data.

Question 8

Please indicate if you use other providers to deliver part of the electronic communications service to your subscribers. If the breach was related to the service provided by these other providers, please indicate if they notified you of the data security breach. 

At the end of Section 1 you will be given an option either to submit the form as an initial notification or to proceed to section 2 to make a full notification, if you have the information available to you at this time.

If you submit you will receive an automated email as an initial acknowledgment.

 

SECTION 2

Further Information on the data breach.

Question 9

Please give a summary of the incident that caused the data breach, including the physical location and the storage media involved.

Question 10

Please indicate the number of subscribers or individuals concerned.

Question 11

Please describe the potential consequences and potential adverse effects on  subscribers/individuals.

Question 12

Please describe what action you have taken to help mitigate any potential adverse affects to the affected individuals.

Possible additional notification to subscribers/individuals

Question 13

If you have already notified subscribers/individuals, please give the content of the notification.

Question 14

If you have already notified subscribers/individuals, please indicate the means used to notify the breach to subscribers/individuals (e.g. individual notifications- email, letter or phone call, media announcements etc)

Question 15

Please indicate the number of subscribers/individuals notified.

Possible cross-border issues

Question 16

Please indicate if the breach has involved subscribers/individuals in other Member States

Question 17

Please indicate if you have notified other competent national authorities.

If you have notified other competent national authorities, please indicate which authorities you have notified.