breach-subject-comms
Installation
SKILL.md
Managing Data Subject Breach Communication
Overview
Article 34 of the GDPR requires controllers to communicate a personal data breach to affected data subjects "without undue delay" when the breach is "likely to result in a high risk to the rights and freedoms of natural persons." This obligation is separate from and additional to the Art. 33 supervisory authority notification. The communication must be in clear and plain language, directly accessible to the affected individuals, and must contain specific information prescribed by Art. 34(2).
High Risk Threshold — When Art. 34 Applies
Art. 34 notification is triggered when the breach risk assessment yields a "high risk" determination. Per EDPB Guidelines 9/2022, Section 3.2, high risk is present when:
- The breach involves special category data (Art. 9) or criminal conviction data (Art. 10) in combination with direct identifiers.
- The breach enables identity theft — the compromised data includes government identifiers (national ID, tax ID, social security number) combined with other identifying information.
- The breach involves financial data (bank account numbers, payment card details) that could be used to commit fraud.
- The breach involves data of vulnerable individuals (minors, patients, employees in dependent relationships) where the consequences are amplified.
- The breach involves a large volume of personal data (more than 1,000 individuals) with direct identifiers, even if the data is not special category.
- The breach could lead to physical harm, discrimination, or threat to the life or safety of individuals.