Controllers and data processors need legal certainty, also when it comes to complying with reporting obligations under data protection law. Although there has been a guideline on how to deal with reporting obligations from the Article 29 Working Party since 2017, the hafnium hack has shown that there is a large difference in the interpretation of the legal data protection regulations between the German state data protection authorities. The present opinions of the data protection supervisory authorities are not "only" about minor differences in the interpretations of the respective data protection supervisory authorities (e.g. which information is required as "must-have" by the respective data protection supervisory authority for a notification of a data protection breach), but in this case the differences in the data protection law assessment on the notification obligation are significant.
For this reason, a sub-working group of the Bitkom Data Protection Working Group has dealt with the interpretation of Articles 33 and 34 of the GDPR in order to provide companies with expert support for data breach notifications. In particular, we have examined the prevailing opinion on the concept of "becoming aware" of a personal data breach, with the aim of harmonising the interpretation by companies and the authorities.