A breach of personal data is a breach of security resulting in destruction, loss, alteration, unauthorized disclosure or accidental or illegal access to personal data transmitted, stored or processed. A "breach", for these purposes, is identifiable as a security incident that has affected the confidentiality, integrity or availability of personal data.
As indicated above, a data breach for these purposes has a broader scope than data loss. The following examples are examples of data breaches:
For the purposes of this policy, a data breach will be notifiable if the company considers that it is likely to pose a risk to the rights and freedoms of individuals. If it does not pose this risk, the breach is not subject to notification, but it will be entered in the company's register of breaches.
A risk to the freedoms of individuals may include physical, material or non- material damage such as discrimination, identity theft or fraud, financial loss, and damage to reputation.
n assessing the likelihood of a risk to the rights and freedoms of individuals, the company will consider the following:
When the company is informed of a breach, it shall immediately initiate an investigation into what has happened and the measures to be taken to limit the consequences. At that time, it will be determined whether the breach is considered as a breach to be notified and whether it is considered to pose a high risk to the rights and freedoms of individuals.
In the event of a notifiable breach, the company shall notify the Swiss Federal Data Protection and Transparency Officer (PFPDT) without undue delay and no later than 72 hours after it becomes aware of the breach. If the notification is made beyond that period, the company shall provide the reasons to the PFPDT.
If it has not been possible to conduct a full investigation into the breach in order to give full details to the PFPDT within 72 hours, an initial notification of the breach will be made within 72 hours, giving as much detail as possible, as well as the reasons for incomplete notification and an estimated time limit for full notification. The initial notification will be followed by another communication to the PFPDT to provide the remaining information.
The following information shall be provided when a breach is notified:
In the event of a notifiable breach which poses a high risk to the rights and freedoms of individuals, the company shall notify the data subjects themselves, i.e. the persons whose data are affected by the breach, as well as the supervisory authority. Such notification shall be made without undue delay and may, depending on the circumstances, be made before the supervisory authority is notified.
A high risk may be, for example, when there is an immediate threat of identity theft, or if special categories of data are disclosed online.