A company suffered a data breach with my information. Must they tell me?

What the Law Says

The General Data Protection Regulation (GDPR) sets strict rules for how organisations must respond to personal data breaches affecting individuals in the EU.

A personal data breach is defined as 'a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.'

Controllers (the organisations handling your data) must report certain breaches to the relevant supervisory authority — such as the national data protection authority — within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to individuals’ rights and freedoms.

If the breach is likely to result in a 'high risk' to your rights and freedoms (e.g., identity theft, financial loss, discrimination, or reputational damage), the controller must also inform you directly — without undue delay.

Statutory Text

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

— Regulation (EU) 2016/679, Art. 34(1) — Communication of a personal data breach to the data subject

Statutory Text

The controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority...

— Regulation (EU) 2016/679, Art. 33(1) — Notification of a personal data breach to the supervisory authority

Sources