The controller must provide the data subject with information on the collection of personal data in a precise, transparent, comprehensible and easily accessible form.
Chapter 2 (Art. 13 - 15) — Obligations of the Controller
The controller must retain the data protection impact assessment after concluding the data processing for a minimum of two years.
- The report to the FDPIC of a breach of data security must include the following information:
- a. the form of breach;
- b. the time and duration, if possible;
- c. the categories and approximate amount of personal data concerned, if possible;
- d. the categories and the approximate number of data subjects, if possible;
- e. the consequences, including any risks, for the data subjects;
- f. the measures that have been taken or are planned in order to remedy the breach and mitigate the consequences, including any risks;
- g. the name and the contact details of a contact person.
- If the controller is unable to report all the details at one time, it shall supply the missing details as quickly as possible.
- If the controller is required to inform the data subject, it shall provide the data subject with the details specified in paragraph 1 letters a and e–g in simple and comprehensible language.
- The controller must document the breaches. The documentation must contain a summary of the circumstances of the incidents, their effects and the measures taken. It shall be retained from the time of the report under paragraph 1 for a minimum of two years.