Breach of personal data protections

Personal data breach is a breach of security leading to the destruction, loss or alteration; whether accidental or unlawful, or unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed (Art. 4 No. 12 EU-GDPR).

Personal data breaches may occur in a variety of ways.  This is associated, for example, with attacks on the IT systems or the unauthorized handling of personal or sensitive data.  This includes, for example:

  • Attacks on central IT systems (e.g. PAUL, PANDA, MACH) or decentralized IT systems (survey systems or research databases) where the attackers may have gained access/knowledge of personal data,
  • System modifications or spying for access codes (passwords) through mass distribution of viruses, malware or spam mails,
  • Systemveränderungen oder Ausspähen von Zugangskennungen (Passwörter) durch massenhafte Verbreitung von Viren, Malware und Spam-Mails,
  • The unintentional misconfiguration of systems resulting in personal data being published,
  • Sending of personal data accidentally to an e-mail distribution list to which the personal data does not belong,
  • The loss of a mobile end device (notebook, smartphone) or data medium (USB stick) on which personal data is saved,
  • Also the inadmissible publication of paper-based documents such as posting names with exam results.

All attacks (breaches), unauthorized use of data or suspicion of this must be carefully examined in order to identify violations of data protection and simultaneously information security.

If the security of a processing operation is breached as a result of an incident, data protection risks may arise for the data subjects. Such violations of the protection of personal data (data protection violations), Articles 33 and 34 of the GDPR provide for reporting and notification obligations to the responsible data protection supervisory authority and (in the case of high risks) to the persons concerned:

The report to the competent supervisory authority, the State Commissioner for Data Protection and Freedom of Information NRW, shall be done without undue delay and, where feasible, not later than 72 hours of the event. In addition, suitable measures must be taken to eliminate the personal data breach and to minimize and/or prevent the future impact of the data breach on those affected.

Obligation to report/register within the university

In order for Paderborn University, as the responsible body, to meet its reporting obligations timely, all employees report recognized information security incidents/data protection violations or reliable indications thereof to Paderborn University immediately upon detection. The web page for the reporting of information security incidents explains when and how to do this. 

In a letter written by university management, all employees have been informed regarding the implementation of the European General Data Protection Regulations for the reporting of information security incidents/breaches: Umsetzung der Europäischen Datenschutz-Grundverordnung bzgl. der Meldung von Informationssicherheitsvorfällen