Skip to main content
Metasoul Docs
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. Metasoul Docs
  2. /
  3. Data privacy tips & tricks
  4. /
  5. Reporting Obligations

Reporting Obligations

What is a data protection incident?

A data protection incident (also referred to as a “data breach” or “personal data breach”) occurs when the security of personal data is compromised. This includes, in particular:

  • Unauthorized access: e.g., through hacking attacks or internal access without authorization
  • Intentional or accidental disclosure: e.g., sending data to incorrect recipients
  • Data loss: e.g., loss of laptops, USB drives, or accidental deletion of data
  • Unauthorized alteration or destruction: e.g., due to software errors or human failure
  • Technical failures: e.g., server crashes resulting in data loss

An incident must be reported if it is likely to result in a risk to the rights and freedoms of natural persons (e.g., identity theft, discrimination, reputation damage).
It is important to provide all employees with a way to quickly and easily report potential data protection incidents and to train employees on the detection and proper internal reporting of data protection incidents.

What should be done if a data protection incident is detected?

When a potential data protection incident is discovered, the following steps are recommended:

  • Initial documentation of the incident: What happened? Which data is affected? When and how was the incident discovered?
  • Immediately inform the responsible parties (Data Protection Officer, IT, management).
  • Eliminate the cause of the incident (secure systems, prevent further data loss, block access, etc.).
  • Secure evidence related to the incident (relevant logs, emails, system data, etc.).
  • Complete documentation regarding the facts, impact, measures taken, risk assessment, and decision-making basis.
  • Assess whether and to what extent there is a risk to the rights and freedoms of the data subjects.
  • Decide whether to report the incident to the Data Protection Authority and to the affected data subjects if risks to these individuals exist (reporting deadlines must be met).
  • Follow-up actions: Implement measures to prevent similar data protection incidents in the future.

Ideally, there is a response plan for data protection incidents, and an incident register in which data protection incidents are documented.

What deadlines must be adhered to when reporting data protection incidents?

The following deadlines must be adhered to in the case of data protection incidents:

  • Report to the Data Protection Authority: Within 72 hours of becoming aware of the incident. If this is not possible within the given time frame, the reason must be stated in the report. A partial report can also be submitted within the 72 hours, which may later be supplemented.
  • Report to the affected individuals: This must be done without delay.

Important: The 72-hour deadline for reporting to the Data Protection Authority begins as soon as the data controller has sufficient knowledge of the incident – even on weekends and holidays.
Failure to report or late reporting may result in fines (up to 2% of global annual turnover).