Adopted 25
112. As stated above, personal data protected by an appropriate level of encryption will be
unintelligible to unauthorised persons without the decryption key. Additionally, appropriately-
implemented pseudonymisation (defined in Article 4(5) GDPR as “the processing of personal data in
such a manner that the personal data can no longer be attributed to a specific data subject without the
use of additional information, provided that such additional information is kept separately and is
subject to technical and organisational measures to ensure that the personal data are not attributed
to an identified or identifiable natural person”) can also reduce the likelihood of individuals being
identified in the event of a breach. However, pseudonymisation techniques alone cannot be regarded
as making the data unintelligible.
• Severity of consequences for individuals
113. Depending on the nature of the personal data involved in a breach, for example, special
categories of data, the potential damage to individuals that could result can be especially severe, in
particular where the breach could result in identity theft or fraud, physical harm, psychological distress,
humiliation or damage to reputation. If the breach concerns personal data about vulnerable
individuals, they could be placed at greater risk of harm.
114. Whether the controller is aware that personal data is in the hands of people whose intentions
are unknown or possibly malicious can have a bearing on the level of potential risk. There may be a
confidentiality breach, whereby personal data is disclosed to a third party, as defined in Article 4(10),
or other recipient in error. This may occur, for example, where personal data is sent accidentally to the
wrong department of an organisation, or to a commonly used supplier organisation. The controller
may request the recipient to either return or securely destroy the data it has received. In both cases,
given that the controller has an ongoing relationship with them, and it may be aware of their
procedures, history and other relevant details, the recipient may be considered “trusted”. In other
words, the controller may have a level of assurance with the recipient so that it can reasonably expect
that party not to read or access the data sent in error, and to comply with its instructions to return it.
Even if the data has been accessed, the controller could still possibly trust the recipient not to take any
further action with it and to return the data to the controller promptly and to co-operate with its
recovery. In such cases, this may be factored into the risk assessment the controller carries out
following the breach – the fact that the recipient is trusted may eradicate the severity of the
consequences of the breach but does not mean that a breach has not occurred. However, this in turn
may remove the likelihood of risk to individuals, thus no longer requiring notification to the supervisory
authority, or to the affected individuals. Again, this will depend on case-by-case basis. Nevertheless,
the controller still has to keep information concerning the breach as part of the general duty to
maintain records of breaches (see section V, below).
115. Consideration should also be given to the permanence of the consequences for individuals,
where the impact may be viewed as greater if the effects are long-term.
• Special characteristics of the individual
116. A breach may affect personal data concerning children or other vulnerable individuals, who
may be placed at greater risk of danger as a result. There may be other factors about the individual
that may affect the level of impact of the breach on them.
• Special characteristics of the data controller
117. The nature and role of the controller and its activities may affect the level of risk to individuals
as a result of a breach. For example, a medical organisation will process special categories of personal
data, meaning that there is a greater threat to individuals if their personal data is breached, compared
with a mailing list of a newspaper.
• The number of affected individuals