Article 24
Notifications of data security breaches
- The controller shall notify the FDPIC of any breach of data security that is likely to lead to a high risk to the data subject's personality or fundamental rights as quickly as possible.
- 2 In the notification, it shall as a minimum specify the nature of the breach of data security, its consequences and the measures taken or planned.
- The processor shall notify the controller of any breach of data security as quickly as possible.
- The controller shall inform the data subject if this is required for their protection or if the FDPIC so requests.
- It may limit, delay or dispense with the provision of information to the data subject if:
- a. there is a reason for doing so pursuant to Article 26 paragraph 1 letter b or paragraph 2 letter b or the provision of information is prohibited by a statutory duty of confidentiality;
- b. the provision of information is impossible or requires disproportionate effort; or
- c. the provision of information to the data subject is equally guaranteed by making a public announcement.
- A notification made pursuant to this Article may only be used against the person required to notify in criminal proceedings with that person's consent.
* Inserted by No II 2 of the FA of 29 Sept. 2023 (Introduction of a Reporting Obligation for Cyberattacks on Critical Infrastructure), in force since 1 April 2025 (AS 2024 257; 2025 168, 173; BBl 2023 84).