Data Breach

Data protection incident and data protection impact assessments

According to the guidelines and regulations of the GDPR, the BDSG and the numerous ancillary laws, companies that process personal data commercially must ensure comprehensive data protection. The numerous data protection incidents show that this is often not even possible due to the complexity of the law, the ongoing updates and the ever higher demands. A data protection incident occurs when the protection of personal data has been breached. According to GDPR in Art. 4 No. 12, this is the case in the event of destruction, loss, modification and unauthorized disclosure or unauthorized access to / from personal data during transmission, storage or, in principle, during processing. With data protection incident it can be necessary to notify according to Art. 33 GDPR. The violation must be reported to the supervisory authority.
However, this is by no means the only reporting requirement that may exist. If your company processes a large amount of personal data or if your data processing is associated with an increased risk, you may be required to carry out a data protection impact assessment – or DPIA for short. The aim of this is to check the admissibility of the data processing in advance and, if necessary, to restrict it.
If you have had a data breach that makes reporting a data protection incident indispensable, or if you operate in processing areas that require a data protection impact assessment, you or your data protection officer must prepare this. To do this, you need one thing above all else: an overview and simplified management of all data protection structures. Data protection incidents and fines due to forgotten data protection impact assessments can be avoided if sufficient capacity is created in data protection for proactive action. How do you do that? With a reliable partner like Priverion, who has a smart and efficient solution for simple data protection management.


If a data protection incident occurs in your company, for example through data theft after a cyber attack or accidentally sending an e-mail to the wrong recipient, the person responsible under Art. 33 GDPR is obliged to report to the supervisory authority within 72 hours of becoming aware. There is an exception if “[…] the violation of the protection of personal data is unlikely to result in a risk to the rights and freedoms of natural persons.” Failure to report a data protection incident must be justified in writing. How a report of a data protection incident must look is described in Art. 33 GDPR. At the same time, the company or the data protection officer must keep precise documentation that must be disclosed to the supervisory authority for review. This includes, among other things, facts, effects and the remedial measures taken in the event of a data protection incident. If the obligation to report a data protection incident is violated, there is a risk of high fines. It should also be noted that, according to Art. 34 Paragraph 1 GDPR, those affected by the information security incident must also be informed immediately. Here too, non-compliance can result in consequences. Regardless of whether you are required to report to the supervisory authority or the person concerned, a penalty can be imposed according to the so-called “small fine” procedure, which can amount to up to 10 million euros or 2% of the company’s annual turnover.
However, a data protection incident is not always immediately recognizable. Especially not if there is no overview of data protection and there is only time for high-risk areas. Our core module offers a solution here.
The SaaS solution ensures that you get started on the long-term work to comply with all legal regulations and regular documentation. With comprehensive risk management, you can manage and monitor the risks to your data protection compliance at a glance with a single solution. You can have all activities and tasks clearly displayed in a directory and maintained. This reduces the risk of data protection incidents preventively, helps you to recognize data protection incidents at an early stage and to comply with the reporting obligation in the event of a violation of the data protection law.

The services of the core module:
• Directory of processing activities (ROPA)
• Management of data processors
• TOM management
• Incident Management
• Risk management (data flow based)
• Reports and data flow visualization
• Requests for information
• Reviews & Audits
• Multi-law function (according to legal person)

If you have any questions about the services of the core module, please contact us so that we can help you.


The supervisory authorities publish lists that set a framework for when a DPIA is to be carried out. If two or more of the criteria mentioned are met, the likelihood that you need to conduct a data protection impact assessment is very high. This includes, among other things:

• Personal data which is very sensitive.
• Data from vulnerable persons such as children
• large amounts of data
• technological solutions such as fingerprint scans or face recognition are used
• Scoring, evaluation, profiling and forecasting are used
• It is a systematic observation of people

The content requirements of a DPIA must be met:

• Description of the processing operations
• Information about the purpose or legitimate interest
• Assessment of the need of processing
• Proportionality of the processing operations
• Risk assessment of the rights and freedoms of data subjects
• Planned measures to deal with the risk

The result of the data protection impact assessment can lead to the risk being assessed so high that the data processing is prohibited by the supervisory authority. If a DPIA is neglected and a violation of the obligation to carry it out can be proven, there is a risk of fines of up to € 10 million or 2% of the annual worldwide turnover.

Our efficiency module can support you in efficiently mastering data protection and also staying up to date with the data protection impact assessment or recognize risk areas in good time and, if necessary, structure them differently. Automate recurring tasks, secure access to standard data processors and ROPAs and stay up to date on current changes.

The services of the performance module:
• Data Processor Library
• ROPA library
• Policy Library
• TOM library
• Retention & Deletion Library
• Policy tree
• Employee training
• Merger, acquisition and exclusion functions
• Azure Active Directory B2C
• Data protection portal


Should there be a data protection incident or you need to create a data protection impact assessment, our innovative solution will give you a direct start. Adhere to your reporting obligation and avoid high fines. You can also create more time for proactive action in order to prevent data protection incidents in advance and to reduce possible risk areas that need to be dealt with as part of data protection impact assessments. With Priverion at your side, the GDPR with all its guidelines, regulations and reporting requirements becomes feasible. For every company.
We look forward to providing you with more detailed information in an initial personal meeting and would be happy to advise you. Master data protection incidents and data protection impact assessments with us a little more confidently.