67 Notification of a personal data breach to the Commissioner
67 Notification of a personal data breach to the Commissioner

(1)     If a controller becomes aware of a personal data breach in relation to personal data for which the controller is responsible, the controller must notify the breach to the Commissioner—

(a)     without undue delay, and

(b)     where feasible, not later than 72 hours after becoming aware of it.

(2)     Subsection (1) does not apply if the personal data breach is unlikely to result in a risk to the rights and freedoms of individuals.

(3)     Where the notification to the Commissioner is not made within 72 hours, the notification must be accompanied by reasons for the delay.

(4)     Subject to subsection (5), the notification must include—