
Article 1 
This Regulation shall apply to the notification of personal data breaches by providers of publicly available electronic communications services (‘the provider’).
Article 2 

1. The provider shall notify all personal data breaches to the competent national authority.
2. The provider shall notify the personal data breach to the competent national authority no later than 24 hours after the detection of the personal data breach, where feasible.The provider shall include in its notification to the competent national authority the information set out in Annex I.Detection of a personal data breach shall be deemed to have taken place when the provider has acquired sufficient awareness that a security incident has occurred that led to personal data being compromised, in order to make a meaningful notification as required under this Regulation.
3. Where all the information set out in Annex I is not available and further investigation of the personal data breach is required, the provider shall be permitted to make an initial notification to the competent national authority no later than 24 hours after the detection of the personal data breach. This initial notification to the competent national authority shall include the information set out in Section 1 of Annex I. The provider shall make a second notification to the competent national authority as soon as possible, and at the latest within three days following the initial notification. This second notification shall include the information set out in Section 2 of Annex I and, where necessary, update the information already provided.Where the provider, despite its investigations, is unable to provide all information within the three-day period from the initial notification, the provider shall notify as much information as it disposes within that timeframe and shall submit to the competent national authority a reasoned justification for the late notification of the remaining information. The provider shall notify the remaining information to the competent national authority and, where necessary, update the information already provided, as soon as possible.
4. The competent national authority shall provide to all providers established in the Member State concerned a secure electronic means for notification of personal data breaches and information on the procedures for its access and use. Where necessary, the Commission shall convene meetings with competent national authorities to facilitate the application of this provision.
5. Where the personal data breach affects subscribers or individuals from Member States other than that of the competent national authority to which the personal data breach has been notified, the competent national authority shall inform the other national authorities concerned.To facilitate the application of this provision, the Commission shall create and maintain a list of the competent national authorities and the appropriate contact points.
Article 3 

1. When the personal data breach is likely to adversely affect the personal data or privacy of a subscriber or individual, the provider shall, in addition to the notification referred to in Article 2, also notify the subscriber or individual of the breach.
2. Whether a personal data breach is likely to adversely affect the personal data or privacy of a subscriber or individual shall be assessed by taking account of, in particular, the following circumstances:
(a) the nature and content of the personal data concerned, in particular where the data concerns financial information, special categories of data referred to in Article 8(1) of Directive 95/46/EC, as well as location data, internet log files, web browsing histories, e-mail data, and itemised call lists;
(b) the likely consequences of the personal data breach for the subscriber or individual concerned, in particular where the breach could result in identity theft or fraud, physical harm, psychological distress, humiliation or damage to reputation; and
(c) the circumstances of the personal data breach, in particular where the data has been stolen or when the provider knows that the data are in the possession of an unauthorised third party.
3. The notification to the subscriber or individual shall be made without undue delay after the detection of the personal data breach, as set out in the third subparagraph of Article 2(2). That shall not be dependent on the notification of the personal data breach to the competent national authority, referred to in Article 2.
4. The provider shall include in its notification to the subscriber or individual the information set out in Annex II. The notification to the subscriber or individual shall be expressed in a clear and easily understandable language. The provider shall not use the notification as an opportunity to promote or advertise new or additional services.
5. In exceptional circumstances, where the notification to the subscriber or individual may put at risk the proper investigation of the personal data breach, the provider shall be permitted, after having obtained the agreement of the competent national authority, to delay the notification to the subscriber or individual until such time as the competent national authority deems it possible to notify the personal data breach in accordance with this Article.
6. The provider shall notify to the subscriber or individual the personal data breach by means of communication that ensure prompt receipt of information and that are appropriately secured according to the state of the art. The information about the breach shall be dedicated to the breach and not associated with information about another topic.
7. Where the provider having a direct contractual relationship with the end user, despite having made reasonable efforts, is unable to identify within the timeframe referred to in paragraph 3 all individuals who are likely to be adversely affected by the personal data breach, the provider may notify those individuals through advertisements in major national or regional media, in the relevant Member States, within that timeframe. These advertisements shall contain the information set out in Annex II, where necessary in a condensed form. In that case, the provider shall continue to make all reasonable efforts to identify those individuals and to notify to them the information set out in Annex II as soon as possible.
Article 4 

1. In derogation from Article 3(1), notification of a personal data breach to a subscriber or individual concerned shall not be required if the provider has demonstrated to the satisfaction of the competent national authority that it has implemented appropriate technological protection measures, and that those measures were applied to the data concerned by the security breach. Such technological protection measures shall render the data unintelligible to any person who is not authorised to access it.
2. Data shall be considered unintelligible if:
(a) it has been securely encrypted with a standardised algorithm, the key used to decrypt the data has not been compromised in any security breach, and the key used to decrypt the data has been generated so that it cannot be ascertained by available technological means by any person who is not authorised to access the key; or
(b) it has been replaced by its hashed value calculated with a standardised cryptographic keyed hash function, the key used to hash the data has not been compromised in any security breach, and the key used to hash the data has been generated in a way that it cannot be ascertained by available technological means by any person who is not authorised to access the key.
3. The Commission may, after having consulted the competent national authorities via the Article 29 Working Party, the European Network and Information Security Agency and the European Data Protection Supervisor, publish an indicative list of appropriate technological protection measures, referred to in paragraph 1, according to current practices.
Article 5 
Where another provider is contracted to deliver part of the electronic communications service without having a direct contractual relationship with subscribers, this other provider shall immediately inform the contracting provider in the case of a personal data breach.
Article 6 
Within three years from the entry into force of this Regulation, the Commission shall provide a report on the application of this Regulation, its effectiveness and its impact on providers, subscribers and individuals. On the basis of that report the Commission shall review this Regulation.
Article 7 
This Regulation shall enter into force on 25 August 2013.
This Regulation shall be binding in its entirety and directly applicable in all Member States.Done at Brussels, 24 June 2013.
For the Commission
The President
José Manuel BARROSO
ANNEX I

Section 1 1. Name of the provider
 2. Identity and contact details of the data protection officer or other contact point where more information can be obtained
 3. Whether it concerns a first or second notification
 4. Date and time of incident (if known; where necessary an estimate can be made), and of detection of incident
 5. Circumstances of the personal data breach (e.g. loss, theft, copying)
 6. Nature and content of the personal data concerned
 7. Technical and organisational measures applied (or to be applied) by the provider to the affected personal data
 8. Relevant use of other providers (where applicable)

Section 2 9. Summary of the incident that caused the personal data breach (including the physical location of the breach and the storage media involved):
 10. Number of subscribers or individuals concerned
 11. Potential consequences and potential adverse effects on subscribers or individuals
 12. Technical and organisational measures taken by the provider to mitigate potential adverse effects
 13. Content of notification
 14. Means of communication used
 15. Number of subscribers or individuals notified
 16. Personal data breach involving subscribers or individuals in other Member States
 17. Notification of other competent national authorities

ANNEX II

1. Name of the provider

2. Identity and contact details of the data protection officer or other contact point where more information can be obtained

3. Summary of the incident that caused the personal data breach

4. Estimated date of the incident

5. Nature and content of the personal data concerned as referred to in Article 3(2)

6. Likely consequences of the personal data breach for the subscriber or individual concerned as referred to in Article 3(2)

7. Circumstances of the personal data breach as referred to in Article 3(2)

8. Measures taken by the provider to address the personal data breach

9. Measures recommended by the provider to mitigate possible adverse effects
