[repost]
The German Data Protection Authorities of Berlin and North Rhine-Westphalia have issued a paper containing Frequently Asked Questions about the German statutory data breach notification requirement that went into effect on September 1, 2009. The paper provides detailed information on key questions concerning the procedure for notification as required by Section 42a of the German Federal Data Protection Act.
Pursuant to the notification obligation, private organizations (and public entities that compete in the free market) must notify without undue delay both the competent DPA and affected individuals of any unlawful transfer or other disclosure of certain types of personal data to third parties under certain circumstances. Relevant circumstantial requirements include the type(s) of data involved and whether there is a threat of serious effects on the rights or protected interests of the data subjects resulting from the transfer or disclosure.
Read more on Hunton & Williams Privacy and Information Security Law Blog