108 Communication of a personal data breach
108 Communication of a personal data breach

(1)     If a controller becomes aware of a serious personal data breach in relation to personal data for which the controller is responsible, the controller must notify the Commissioner of the breach without undue delay.

(2)     Where the notification to the Commissioner is not made within 72 hours, the notification must be accompanied by reasons for the delay.

(3)     Subject to subsection (4), the notification must include—