Please note this is an in-depth version of the ideal answer. We have included additional information
in this document to help you understand the thinking and rationale behind the sample solution!
I. Draft E-Mail to client
Dear Mr. Dent,
thank you for the information provided to us. We have assessed if there is any notification obligation
for Great New Games under the EU General Data Protection Regulation ("
") regarding the data
leak occurred. We understand that the customer database operated by Great New Games containing
information on names, addresses and credit card information has been unencrypted and the
information have therefore been available to public access for a period of up to six days. However,
Great New Games has no evidence that any unauthorised database access has occurred.
Ultimately, to our understanding, Great New Games is obliged to notify (1.) the competent supervisory
authority and (2.) Great New Games' customers affected about the data leak. In case of a violation of
these obligations, GDPR provides for fines of up to EUR 10,000,000 or up to 2 % of the total worldwide
annual turnover of the preceding financial year, whichever is higher (3.). Therefore, as requested, we
have prepared the necessary notification letters (see attached). The supervisory authority should be
notified as soon as possible.
1. Notification obligation to the competent authority
As per Art. 33 para 1 s. 1 GDPR, the controller is obliged to notify the supervisory authority about a
personal data breach without undue delay and, where feasible, not later than 72 hours after having
become aware of it unless the personal data breach is unlikely to result in a risk to the rights and
freedoms of natural persons.
a) Controller
According to Art. 4 Nr. 7 GDPR controller means the natural or legal person, public authority, agency
other body which, alone or jointly with others, determines the
purposes and means of the
processing of personal data. Processing means any operation or set of operations which is performed
on personal data or on sets of personal data, whether or not by automated means, such as collection,
recording, organisation,
structuring, storage, adaptation or alteration,
retrieval, consultation, use,
disclosure by transmission, dissemination or otherwise making available, alignment or combination,
restriction, erasure or destruction (Art. 4 Nr. 2 GDPR). Great New
Games is the legal person
determining the purpose of the storage and the use of customers' data in the context of the operation
of the web shop. Thus, Great New Games is controller pursuant to Art. 4 Nr. 7 GDPR.