Commission Regulation (EU) no 611/2013
of 24 June 2013
on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications
Commission Regulation (EU) No 611/2013 of 24 June 2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications
Commission Regulation (EU) No 611/2013 sets out specific rules for the notification of data security breaches by telecommunications providers and internet service providers under Directive 2002/58/EC (the “ePrivacy Directive”) as transposed into Irish law via SI 336 of 2011 . It came into force on 25 August 2013.
Providers must make an initial notification of a data security breach to the competent national authority no later than 24 hours after the first detection of the breach. If the provider is unable to provide full details on the breach at this time, further details should be provided within three days of the initial notification.
If after this three day period, you are still unable to provide the full information required by the Regulation on the data security breach, you will be required to submit to this Office a reasoned justification as to why the information is not available. Please contact the data breach section on (057) 8684800 if this situation applies to you.
The information which must be provided in the notification is set out in Annex I of the Regulation.
A secure online form is available to make the notification of the data security breach.
Please click here for notes on how to complete the form.
Please note these requirements apply to telecommunications and internet service providers as defined by SI 336 of 2011 only. Data controllers covered by this Office's Data Security Breach Code of Practice should not use this form to notify data security breaches.