Notification of a Personal Data Breach in the Czech Republic

Although the obligation to notify personal data breaches existed prior to the GDPR for electronic communications services providers, this institute has seldom been used. The GDPR made the notification obligation mandatory for all data controllers. In the one year since the GDPR started to be enforced, the Czech Data Protection Authority has dealt with several hundred data breach notifications. As many data controllers are subject not just to the GDPR but also to cybersecurity laws and sectoral regulation which too requires them to notify security and data related incidents, it would be highly desirable if the notification processed was unified.