A personal data breach is any security incident that leads to the destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to personal data.

Whenever such a breach may represent a risk to the rights and freedoms of data subjects, the controller must:

• Notify the CNPD within a maximum of 72 hours after becoming aware of the breach;
• Inform data subjects, when the breach may entail a high risk to their rights.

The notification must contain:

• The nature of the breach;
• The probable consequences;

The measures adopted or proposed to remedy and mitigate the effects.