Andorran Data Protection Agency Reminds Controllers of 72-Hour Breach Notification Duty

The Andorran Data Protection Agency (APDA) has issued guidance reminding data controllers of their obligation to notify security breaches within 72 hours, unless the incident is unlikely to pose a risk to individuals' rights and freedoms.

A personal data breach arises from any accidental or unlawful event causing the destruction, loss, alteration, unauthorised disclosure of, or access to such data, potentially affecting its confidentiality, integrity, or availability. The APDA emphasised that these incidents extend beyond cyberattacks to include human errors, lost documents, or other threats to data security.

Examples include sending emails with personal details to the wrong recipient, failing to use blind carbon copy when sharing information with multiple parties, losing or having devices stolen, unauthorised access to databases or shared folders, improper publication of personal data, or accidental changes or deletions. Temporary or permanent unavailability of data also qualifies.

Controllers must report breaches to the APDA within 72 hours if they present a likely risk, supplying details on the incident's nature, affected data types, and potential consequences. They should act swiftly to contain the breach, assess its impact, restore access, and document the response. High-risk incidents require direct notification to affected individuals in clear language. Failure to notify when required constitutes a serious infringement, potentially leading to sanctions.

The APDA released this reminder amid reports of a possible cyberattack on a well-known shopping centre, which initial information suggested may have affected numerous suppliers and customers. No additional details on the incident's extent or context have been disclosed.