Purpose and legal basis for processing

If you report a personal data breach at your organisation, we’ll collect information about you so we can communicate with you about the breach.

The legal basis we rely on to process your personal data is article 6(1)(e) of the GDPR, which allows us to process personal data when this is necessary to perform our public tasks as a regulator.

What we need

Organisations must report any security breaches involving personal data to us without undue delay and, where feasible, within 72 hours.

In addition, public electronic communications service providers must report any security breaches involving personal data under the Privacy and Electronic Communications Regulations 2003 to us within 24 hours.

We provide a dedicated breach reporting helpline for this purpose, which can be contacted on 0303 123 1113. You can also report online.

Along with information about the breach, we’ll ask you for your name, email address and contact phone number, and the name and details of the person we should contact about the matter (if this isn’t you).

Why we need it

We need this information to record the breach, to make decisions about any action we may take, and to carry out those actions if necessary. We need the personal data we collect as we may contact you for more information and to inform you of the outcome of any investigation or decision we make about the breach.

How long we keep it

For information about how long we hold personal data, see  our retention schedule.

What are your rights?

As we process personal data in the breach form in our capacity as a regulator, you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it.

For more information on your rights, please see ‘Your rights as an individual’.

Do we use any data processors?

No – we do not use any data processors for the above.