
Article 1 
This Regulation shall apply to the notification of personal data breaches by providers of publicly available electronic communications services (‘the provider’).
Article 2 

1. The provider shall notify all personal data breaches to the  Information Commissioner.
2. The provider shall notify the personal data breach to the  Information Commissionerwithout undue delay and, where feasible, not later than 72 hours after having become aware of it.The provider shall , subject to paragraph 3,  include in its notification to the Information Commissioner the information set out in Annex I.Detection of a personal data breach shall be deemed to have taken place when the provider has acquired sufficient awareness that a security incident has occurred that led to personal data being compromised, in order to make a meaningful notification as required under this Regulation.This paragraph is to be interpreted in accordance with Article 3 of Regulation (EEC, Euratom) No. 1182/71 of the Council of 3 June 1971 determining the rules applicable to periods, dates and time limits.
3. To the extent that the information set out in Annex 1 is not available to be included in the notification, it may be provided in phases without undue further delay.
4. The  Information Commissioner  shall provide to all providers established in the  United Kingdom  a secure electronic means for notification of personal data breaches and information on the procedures for its access and use. ...
5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Article 3 

1. When the personal data breach is likely to adversely affect the personal data or privacy of a subscriber or individual, the provider shall, in addition to the notification referred to in Article 2, also notify the subscriber or individual of the breach.
2. Whether a personal data breach is likely to adversely affect the personal data or privacy of a subscriber or individual shall be assessed by taking account of, in particular, the following circumstances:
(a) the nature and content of the personal data concerned, in particular where the data concerns financial information, special categories of data referred to in Article 8(1) of Directive 95/46/EC, as well as location data, internet log files, web browsing histories, e-mail data, and itemised call lists;
(b) the likely consequences of the personal data breach for the subscriber or individual concerned, in particular where the breach could result in identity theft or fraud, physical harm, psychological distress, humiliation or damage to reputation; and
(c) the circumstances of the personal data breach, in particular where the data has been stolen or when the provider knows that the data are in the possession of an unauthorised third party.
3. The notification to the subscriber or individual shall be made without undue delay after the detection of the personal data breach, as set out in the third subparagraph of Article 2(2). That shall not be dependent on the notification of the personal data breach to the  Information Commissioner, referred to in Article 2.
4. The provider shall include in its notification to the subscriber or individual the information set out in Annex II. The notification to the subscriber or individual shall be expressed in a clear and easily understandable language. The provider shall not use the notification as an opportunity to promote or advertise new or additional services.
5. In exceptional circumstances, where the notification to the subscriber or individual may put at risk the proper investigation of the personal data breach, the provider shall be permitted, after having obtained the agreement of the  Information Commissioner, to delay the notification to the subscriber or individual until such time as the Information Commissioner deems it possible to notify the personal data breach in accordance with this Article.
6. The provider shall notify to the subscriber or individual the personal data breach by means of communication that ensure prompt receipt of information and that are appropriately secured according to the state of the art. The information about the breach shall be dedicated to the breach and not associated with information about another topic.
7. Where the provider having a direct contractual relationship with the end user, despite having made reasonable efforts, is unable to identify within the timeframe referred to in paragraph 3 all individuals who are likely to be adversely affected by the personal data breach, the provider may notify those individuals through advertisements in major national or regional media in the United Kingdom  within that timeframe. These advertisements shall contain the information set out in Annex II, where necessary in a condensed form. In that case, the provider shall continue to make all reasonable efforts to identify those individuals and to notify to them the information set out in Annex II as soon as possible.
Article 4 

1. In derogation from Article 3(1), notification of a personal data breach to a subscriber or individual concerned shall not be required if the provider has demonstrated to the satisfaction of the  Information Commissioner  that it has implemented appropriate technological protection measures, and that those measures were applied to the data concerned by the security breach. Such technological protection measures shall render the data unintelligible to any person who is not authorised to access it.
2. Data shall be considered unintelligible if:
(a) it has been securely encrypted with a standardised algorithm, the key used to decrypt the data has not been compromised in any security breach, and the key used to decrypt the data has been generated so that it cannot be ascertained by available technological means by any person who is not authorised to access the key; or
(b) it has been replaced by its hashed value calculated with a standardised cryptographic keyed hash function, the key used to hash the data has not been compromised in any security breach, and the key used to hash the data has been generated in a way that it cannot be ascertained by available technological means by any person who is not authorised to access the key.
3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Article 5 
Where another provider is contracted to deliver part of the electronic communications service without having a direct contractual relationship with subscribers, this other provider shall immediately inform the contracting provider in the case of a personal data breach.
Article 6 
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Article 7 
This Regulation shall enter into force on 25 August 2013.
...Done at Brussels, 24 June 2013.
For the Commission
The President
José Manuel BARROSO
ANNEX I

Section 1 1. Name of the provider
 2. Identity and contact details of the data protection officer or other contact point where more information can be obtained
 3. Whether it concerns a first or second notification
 4. Date and time of incident (if known; where necessary an estimate can be made), and of detection of incident
 5. Circumstances of the personal data breach (e.g. loss, theft, copying)
 6. Nature and content of the personal data concerned
 7. Technical and organisational measures applied (or to be applied) by the provider to the affected personal data
 8. Relevant use of other providers (where applicable)

Section 2 9. Summary of the incident that caused the personal data breach (including the physical location of the breach and the storage media involved):
 10. Number of subscribers or individuals concerned
 11. Potential consequences and potential adverse effects on subscribers or individuals
 12. Technical and organisational measures taken by the provider to mitigate potential adverse effects
 13. Content of notification
 14. Means of communication used
 15. Number of subscribers or individuals notified
 16. ...
 17. ...

ANNEX II

1. Name of the provider

2. Identity and contact details of the data protection officer or other contact point where more information can be obtained

3. Summary of the incident that caused the personal data breach

4. Estimated date of the incident

5. Nature and content of the personal data concerned as referred to in Article 3(2)

6. Likely consequences of the personal data breach for the subscriber or individual concerned as referred to in Article 3(2)

7. Circumstances of the personal data breach as referred to in Article 3(2)

8. Measures taken by the provider to address the personal data breach

9. Measures recommended by the provider to mitigate possible adverse effects
