On the Approval of the Criteria for Determining Incidents Posing a Significant Threat to Fundamental Human Rights and Freedoms and the Procedure for Notifying the Personal Data Protection Service of an Incident

Document structure

View explanations

Referenced documents

Document comments

Document Highlights

Return back
On the Approval of the Criteria for Determining Incidents Posing a Significant Threat to Fundamental Human Rights and Freedoms and the Procedure for Notifying the Personal Data Protection Service of an Incident
Document number 19
Document issuer პერსონალურ მონაცემთა დაცვის სამსახურის უფროსი
Date of issuing 28/02/2024
Document type პერსონალურ მონაცემთა დაცვის სამსახურის უფროსის ბრძანება
Source and date of publishing Website, 28/02/2024
Activating Date 01/03/2024
Registration code 010100000.78.091.016020
19
28/02/2024
Website, 28/02/2024
010100000.78.091.016020
On the Approval of the Criteria for Determining Incidents Posing a Significant Threat to Fundamental Human Rights and Freedoms and the Procedure for Notifying the Personal Data Protection Service of an Incident
პერსონალურ მონაცემთა დაცვის სამსახურის უფროსი

 

Order No 19

of 28 February 2024

of the Head of the Personal Data Protection Service

Tbilisi

 

On the Approval of the Criteria for Determining Incidents Posing a Significant Threat to Fundamental Human Rights and Freedoms and the Procedure for Notifying the Personal Data Protection Service of an Incident

 

 

In accordance with Article 29(9), Article 30(4) and Article 88(4)(a) of the Law of Georgia on Personal Data Protection, I hereby order:

 

 

Article 1

 

The annexed criteria for determining incidents posing a significant threat to fundamental human rights and freedoms and the procedure for notifying the personal data protection service of an incident shall be approved.

 

Article 2

 

This Order shall enter into force on 1 March 2024.

 

 

Head of the Personal Data Protection Service                      Lela Janashvili

 

 

The criteria for determining incidents posing a significant threat to fundamental human rights and freedoms and the procedure for notifying the Personal Data Protection Service of an incident.

 

Chapter I   General Provisions

Article 1 – Purpose and scope of the Law

1. The purpose of the criteria for determining incidents posing a significant threat to fundamental human rights and freedoms and the procedure for notifying the Personal Data Protection Service of an incident (the Procedure) is to establish criteria for determining incidents that pose a significant threat to fundamental human rights and freedoms (incident) as provided for by Article 29(1) and Article 30(4) of the Law of Georgia on Personal Data Protection (the Law) and to determine the procedure for notifying the Personal Data Protection Service (the Service) of an incident.

2. This procedure shall not apply to incidents related to data processing for the purposes of activities provided for by Article 2(2)(b) of the Law.

Article 2 – Definition of terms

The terms used in this Procedure shall have meanings as defined in the Law.

 

Chapter II Criteria for Determining Incidents

Article 3 – Concept and types of incident

1. For the purposes of this Procedure, an incident is a breach of security of personal data (including organisational, physical or technical) leading to the unlawful or accidental damage to or loss of data, as well as their unauthorised disclosure, destruction, alteration or access, or the collection/obtaining of data, or other unauthorised processing.

2. Types of incidents may be:

a) breach of confidentiality – unauthorised disclosure of or access to personal data;

b) integrity breach – unauthorised alteration of personal data, as well as unlawful or accidental damage thereto, or loss thereof;

c) availability breach – loss or restriction of access to personal data, or destruction or erasing of data.

Article 4 – Assessment of an incident

1. An incident may result in tangible or intangible damage of physical, property or non-property value.

2. A controller, upon the detection of an incident, shall start the assessment of the severity of the incident and the likelihood of the incident causing significant damage to human rights and freedoms and/or posing a significant threat, taking into consideration the circumstances and criteria provided for by Article 5 and 6 of this Procedure.

3. An incident shall be considered detected and a controller shall be considered informed thereof from the moment he/she learns about the incident.

4. The likelihood of an incident causing significant damage to human rights and freedoms and/or posing a significant threat shall be assessed through qualitative analysis when an impartial decision is made with due consideration of experience, available information, knowledge, reasoning and the criteria provided for by this Law.

Article 5 – Circumstances to be considered when assessing the severity of a significant threat an incident might pose to human rights and freedoms

For the purposes of determining the severity of a significant threat an incident might pose to human rights and freedoms, a controller shall take the following circumstances into consideration:

a) the type of incident (a breach of confidentiality of personal data, an integrity breach or an availability breach);

b) the category of personal data that are affected by the incident;

c) whether the incident concerns the personal data of a minor, a person with disabilities, or other data subject in need of special social or legal protection;

d) the level of possibility of a data subject being identified by a third person as a result of the incident;

e) the special nature of activities of a controller which may be accompanied by an increased threat;

f) the extent of the incident in terms of the number of data subjects and/or the amount of personal data;

g) other circumstances which may significantly affect the severity of the likelihood of the incident posing a significant threat to human rights and freedoms.

Article 6 – Criteria for the assessment of an incident causing significant damage to human rights and freedoms

An incident may be considered to cause significant damage to human rights and freedoms if it results in/might result in one of the following outcomes:

a) discrimination against a data subject, an appropriation or a falsification of his/her identity, financial damage, the reputation of a data subject being compromised, a breach of confidentiality of personal data protected by professional secrecy, or other significant social and/or economic damage;

b) interference with the exercise by a data subject of rights provided for by law, including a restriction of the exercise by a data subject of rights within the time limits established by law;

c) the erasing/destruction of data in such a manner that the data cannot be restored, or its restoration involves disproportionate time and effort, except when, based on the purpose of the processing of personal data (except for personal data of a special category), the data subject will not suffer damage as provided for by subparagraphs (a), (b), (d), (e) and (f) of this article or other significant damage as a result of said erasing/destruction;

d) the illegal disclosure of data of a special category;

e) physical damage, including a restriction in receiving medical services, if that leads to postponing an intervention or operation which has an adverse effect on the condition of a patient;

f) the illegal processing of the personal data of a minor, a person with disabilities, or other data subject in need of special social or legal protection.

Article 7 – Determining the likelihood of an incident to cause significant damage to human rights and freedoms and/or to pose a significant threat

1. The likelihood of an incident to cause significant damage to human rights and freedoms and/or to pose a significant threat might be low, medium or high.

2. The likelihood of an incident to cause significant damage to human rights and freedoms and/or to pose a significant threat shall be:

a) low, if it is unlikely that the incident will cause significant damage and/or pose a significant threat to human rights and freedoms;

b) medium, if the likelihood of the incident to cause significant damage to human rights and freedoms and/or to pose a significant threat and the likelihood of the non-occurrence of such damage/threat is more or less equal;

c) high, if the incident will most likely cause significant damage and/or pose a significant threat to human rights and freedoms.

 

Chapter III Procedure for notifying an incident to the Service

Article 8 – Obligation to notify an incident

1. A controller shall be obliged to notify the Service of an incident within 72 hours after its detection in accordance with the Law and this Procedure if there is a medium or high likelihood of the incident causing significant damage and/or posing a significant threat to human rights and freedoms.

2. If an incident cannot be completely assessed within 72 hours of its detection, but there is a reasonable belief in a medium or high likelihood that the incident might cause significant damage and/or pose a significant threat to human rights and freedoms, the controller shall not wait for the completion of the assessment of the incident and shall notify the Service of the incident. In such case, if a controller cannot give all the information as provided for by Article 10(2) of this Procedure for objective reasons, the notification may be submitted in stages, within reasonable time limits and without undue delay.

3. If the likelihood that an incident will cause significant damage and/or pose a significant threat to human rights and freedoms is low, the obligation to notify the Service shall not be incurred.

Article 9 – Notification of an incident

1. A controller shall notify the Service of an incident in writing or in an electronic form.

2. If an incident concerns information containing state secrets, a controller shall notify the Service of the incident in accordance with the procedure established by the legislation of Georgia.

3. The administration of the electronic notification management system for an incident shall be carried out by the Service.

4. To notify the Service of an incident, based on the information provided by a controller, a person responsible for the notification of an incident determined by the controller shall fill out the incident notification form and submit it to the Service.

Article 10 – Notification of an incident in an electronic form

1. The notification of an incident in an electronic form shall be carried out by a form generated in an electronic notification management system for an incident available on the official website of the Service, which shall include:

a) name, legal form, identification number and address of a controller;

b) area of activities (public sector, law enforcement body, private sector) of a controller;

c) name, surname, position and contact information (phone number, e-mail address) of a person responsible for filling out the incident notification form;

d) name, surname and contact information (phone number, e-mail address) of a personal data protection officer, if any;

e) name, surname, position and contact information (phone number, e-mail address) of other contact person, if any;

f) whether an initial notification of an incident is being made, or the submission of additional or updated information;

g) in the case of the submission of additional or updated information, an identification number assigned to the incident;

h) status of an incident (ongoing/ended/unknown);

i) time of start of an incident (if known) and time of end of an incident (if the incident has ended);

j) time of detection of an incident by a controller;

k) if the notification cannot ensure the provision of the Service with the full information on the incident, an explanation for the reasons thereof;

l) type of an incident:

l.a) breach of confidentiality;

l.b) integrity breach;

l.c) availability breach;

m) consequences of the incident:

m.a) accidental or intentional destruction of data;

m.b) accidental or intentional alteration of data;

m.c) theft or loss of an encrypted device;

m.d) theft or loss of an unencrypted device;

m.e) theft or loss of a tangible document or unauthorised access to it;

m.f) unauthorised access to data in an electronic form;

m.g) restriction of access to data in an electronic and/or tangible form;

m.h) unauthorised access to/illegal disclosure of data processed via a video monitoring and/or audio monitoring system;

m.i) unauthorised access to/illegal disclosure of correspondence carried out via e-mail;

m.j) unauthorised access to a user’s account on an online portal/illegal disclosure of data on it;

m.k) unauthorised access to a user’s account on social media and/or a short text message exchange platform/illegal disclosure of data in it;

m.l) unauthorised access to correspondence/illegal disclosure of data in it;

m.m) illegal access to data stored in electronic devices;

m.n) disclosure of data orally;

m.o) obtaining access to data by means of deception or misleading;

m.p) illegal disclosure of data;

m.q) mistake made during the processing of data;

m.r) works required for ensuring the technical serviceability of a system;

m.s) other consequences;

n) if the data that may be affected by the incident is known:

n.a) first name, surname, date of birth;

n.b) personal number and/or passport number;

n.c) contact data;

n.d) identification or access information (user name, password);

n.e) page on social media (i.e. profile);

n.f) economic and financial data;

n.g) official documents or their copies;

n.h) location data (including information on geolocation);

n.i) photo, video or audio material containing personal data;

n.j) information related to personal activities or family life;

n.k) information related to professional activities;

n.l) data on communication conducted by a person;

n.m) data of special category;

n.n) other data;

o) approximate or exact number of data subjects affected by the incident, if known;

p) whether or not the results of the incident concern a minor, a person with disabilities and/or a person in need of other special social or legal protection, if known;

q) the medium or high likelihood that an incident might cause significant damage to human rights and freedoms/pose a significant risk;

r) information on data security and technical and/or organisational measures (technical, software and physical security solutions/mechanisms ensuring data security, formalised organisational policies and non-formalised rules) facilitating the immediate decrease of potential damage as a result of the incident, taken after the incident;

s) information on data security and technical and/or organisational measures (technical, software and physical security solutions/mechanisms ensuring data security, formalised organisational policies and non-formalised rules) facilitating the immediate decrease of potential damage as a result of the incident, to be taken in the future;

t) whether or not a controller plans to inform the data subject(s) regarding the incident and in what period and what form;

u) whether or not the disclosure of information poses a threat to:

u.a) national security, information safety and cyber security and/or defence interests;

u.b) public safety interests;

u.c) crime prevention, investigation, prosecution, the administration of justice, the enforcement of detention and imprisonment, the execution of non-custodial sentences and probation, and the conduct of operative and investigative activities;

u.d) interests relating to financial or economic matters (including monetary, budgetary and taxation matters), public health and social protection issues of importance to the country;

v) in the case provided for by Article 29(11) of this Law, information regarding the agreement with a respective competent authority in the field of information security and cyber security.

2. The information provided for by this article, submitted to the Service by a person provided for by Article 9(4) of this Procedure, shall be immediately reflected in the electronic notification management system for an incident and shall be available to an authorised person of the Service.

Article 11 – Notification of an incident in writing

In the case of the notification of an incident in writing, the notification shall include the information provided for by Article 10(1) of this Procedure and shall be submitted to the Service via the automated system of record-keeping provided for by Article 2 of the Ordinance No 64 of 21 February 2012 of the Government of Georgia on the Approval of the Minimum Standard of Automated System of Record-keeping in the Treasury (Budgetary) Institutions, or in a tangible form.

Article 12 – Procedure for the reception of the notification of an incident and its registration in the Service

1. The reception of the notification of an incident in an electronic form and its registration shall be conducted automatically, by the electronic notification management system for an incident of the Service.

2. The Service shall carry out the reception of the notification of an incident in an electronic form and its registration in accordance with the procedure provided for by the record-keeping procedure of the Service.