Regulation 2013/611 - Measures applicable to the notification of personal data breaches under Directive 2002/58/EC on privacy and electronic communications - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
Contents
official title
Commission Regulation (EU) No 611/2013 of 24 June 2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communicationsLegal instrument | Regulation |
---|---|
Number legal act | Regulation 2013/611 |
CELEX number i | 32013R0611 |
Document | 24-06-2013 |
---|---|
Publication in Official Journal | 26-06-2013; OJ L 173, 26.6.2013,Special edition in Croatian: Chapter 13 Volume 066 |
Effect | 25-08-2013; Entry into force See Art 7 |
End of validity | 31-12-9999 |
26.6.2013 |
EN |
Official Journal of the European Union |
L 173/2 |
COMMISSION REGULATION (EU) No 611/2013
of 24 June 2013
on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (1), and in particular Article 4(5) thereof,
Having consulted the European Network and Information Security Agency (ENISA),
Having consulted the Working Party on the Protection of Individuals with regard to the Processing of Personal Data established by Article 29 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (2) (the Article 29 Working Party),
Having consulted the European Data Protection Supervisor (EDPS),
Whereas:
(1) |
Directive 2002/58/EC provides for the harmonisation of the national provisions required to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy and confidentiality, with respect to the processing of personal data in the electronic communication sector and to ensure the free movement of such data and of electronic communication equipment and services in the Union. |
(2) |
Under Article 4 of Directive 2002/58/EC, providers of publicly available electronic communications services are obliged to notify the competent national authorities, and in certain cases also the subscribers and individuals concerned, of personal data breaches. Personal data breaches are defined in Article 2(i) of Directive 2002/58/EC as breaches of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the Union. |
(3) |
In order to ensure consistency in implementation of the measures referred to in Article 4(2), (3) and (4) of Directive 2002/58/EC, Article 4(5) thereof empowers the Commission to adopt technical implementing measures concerning the circumstances, format and procedures applicable to the information and notification requirements referred to in that Article. |
(4) |
Different national requirements in this regard may lead to legal uncertainty, more complex and cumbersome procedures and significant administrative costs for providers operating cross-border. The Commission therefore considers it necessary to adopt such technical implementing measures. |
(5) |
This Regulation is limited to the notification of personal data breaches and therefore does not set out technical implementing measures concerning Article 4(2) of Directive 2002/58/EC on informing the subscribers in case of a particular risk of a breach of the security of the network. |
(6) |
It follows from the first subparagraph of Article 4(3) of Directive 2002/58/EC that providers should notify to the competent national authority all personal data breaches. Therefore, no discretion should be left to the provider whether or not to notify to the competent national authority. However, this should not prevent the competent national authority concerned from prioritising the investigation of certain breaches in the way it sees fit in accordance with the applicable law, and to take steps as necessary to avoid over- or... |
More
This text has been adopted from EUR-Lex.
This dossier is compiled each night drawing from aforementioned sources through automated processes. We have invested a great deal in optimising the programming underlying these processes. However, we cannot guarantee the sources we draw our information from nor the resulting dossier are without fault.
This page is also available in a full version containing the legal context, de Europese rechtsgrond, other dossiers related to the dossier at hand and the related cases of the European Court of Justice.
The full version is available for registered users of the EU Monitor by ANP and PDC Informatie Architectuur.
The EU Monitor enables its users to keep track of the European process of lawmaking, focusing on the relevant dossiers. It automatically signals developments in your chosen topics of interest. Apologies to unregistered users, we can no longer add new users.This service will discontinue in the near future.