Ways of the communication a personal data breach to the data subjects
GDPR does not require any particular form of the communication a personal data breach to the data subject. Choice of the communication form shall depend on a contact details available to the controller.
Bearing in mind the importance of a communication, its form shall enable becoming aware of the content of the communication multiple times. It is important to provide the communication to the data subject as soon as possible. Choosing less effective means of communication, the controller may cause undue delay in providing the information.
In this context, the disadvantage of the communication delivered via postal system is its delivery time. By comparison, the main advantage of the electronic form of communication is its speed, which is desirable because of the obligation to communicate the personal data breach to the data subject without undue delay (Article 34(1) GDPR). Electronic form enables becoming aware of the content of the communication multiple times and to print it, if necessary.
In principle, the relevant breach should be communicated to the affected data subjects directly, unless doing so would involve a disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner (Article 34(3)c GDPR).
Dedicated messages should be used when communicating a breach to data subjects and they should not be sent with other information, such as regular updates, newsletters, or standard messages. This helps to make the communication of the breach to be clear and transparent. A notification solely confined within a press release or corporate blog would not be an effective means of communicating a breach to an individual.