General Data Security Breach Notification Requirements
Jump to
General Data Security Breach Notification Requirements Start Comparison
Are there obligations to make notifications about personal data security breaches?

[Last reviewed: 12 January 2023]

Yes.

Under the amended APPI and its bylaws, business owners must notify the PPC and the data subjects about serious personal data security breaches (i.e., leakage, loss, damage or other event pertaining to security of personal data). The relevant ordinances provide that the following  "serious personal data security breaches" need to be notified to the PPC:

  • The data includes sensitive data.
  • The data is likely to be used unlawfully and cause financial damages.
  • It is likely that the breach was committed with an unlawful purpose.
  • The data breach of more than 1,000 data subjects has occurred, or is likely to have occurred.
Controllers/Owners have to notify:

[Last reviewed: 12 January 2023]

☒        data protection authorities

Under the amended APPI and its bylaws, business owners must report a personal data security breach (meeting certain threshold) to the data protection authorities (PPC) immediately (usually 3 to 5 days, according to the PPC guidelines), followed by a more detailed report within 30 days after becoming aware of the breach (or within 60 days in a case where it is likely that the breach was committed with an unlawful purpose).

☒       affected individuals

Under the amended APPI and its bylaws, business owners must "promptly" notify a personal data security breach (meeting certain threshold) to data subjects. The APPI does not provide for any specific timeframe.

☐        other

Processors/Agents have to notify:

[Last reviewed: 12 January 2023]

Under the amended APPI and its bylaws, processors (i.e., outsourcees who processes personal data on behalf of controller) must notify the controller (i.e., outsourcer of the processing) of personal data security breaches meeting certain threshold.