Procedure for Reporting Personal Data Breaches

1. Incident Identification

1.1. Any staff member or stakeholder suspecting or discovering a personal data breach must immediately notify the Data Protection Officer (DPO) at dpo@get-potions.com.
1.2. The DPO or designated individual reviews the provided details, evaluates the severity, and determines the scope of the breach.


2. Situation Assessment

2.1. An initial assessment of the breach is conducted by Potions to understand its potential impact, the types of data involved, the affected individuals, and associated risks.
2.2. A more in-depth analysis may be carried out if necessary to obtain a comprehensive understanding of the situation and related risks.


3. Notification to Relevant Authorities

3.1. If the breach poses a risk to the rights and freedoms of affected individuals, a notification to the data protection authorities will be made within the required timeframe, typically within 48 hours of discovering the breach.
3.2. The notification includes all relevant information about the breach, its consequences, and the measures taken to address it.


4. Informing Affected Individuals

If the breach presents a high risk to the rights and freedoms of individuals, they will be promptly and clearly informed about the nature of the breach, the data involved, and the actions taken to resolve the issue.


5. Incident Documentation and Recording

All data breaches are thoroughly documented in a dedicated register, including:

  • Date and time of the breach.
  • Circumstances of the breach.
  • Data involved.
  • Actions and measures taken.

6. Monitoring and Reporting

Corrective actions are monitored by the DPO or designated individual. Periodic reports are presented to management and relevant stakeholders to ensure follow-up and accountability.


7. Training and Awareness

7.1. Regular training is provided to staff to ensure a solid understanding of incident management procedures and to raise awareness of data security issues.
7.2. Simulation exercises may be conducted to test the effectiveness of procedures and enhance preparedness in case of an incident.


This procedure must be reviewed periodically to ensure alignment with regulatory developments and best practices in data protection.

Was this article helpful?

/