What shall the communication of the personal data breach to the data subject contain?
In accordance with Article 34 (2) GDPR the communication to the data subject shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points (b), (c) and (d) of Article 33(3). Under that provision, the controller shall at least:
- communicate the name and contact details of the data protection officer or other contact point where more information can be obtained
- describe the likely consequences of the personal data breach;
- describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
The communication to the data subject shall be in a clear and plain language. In order to satisfy this requirement, the controller shall adjust the content of the communication to the particular group of data subjects. For example, if the particular entity has clients of a similar age and educational attainment, these circumstances shall be taken into account in the language context, while formulating the communication. In cases when the data subjects are diversified or the controller does not have sufficient information to determine the group of data subjects, the average data subject shall be the reference point for the language used in the communication. The objective is to ensure that individuals are able to understand the information being provided to them. Moreover, the communication shall not be excessive, because long information usually make the essence of the message difficult to understand.