The objective of this sub-module is to assist controllers in completing the formal form for notifying the data breach to the supervisory authority by assessing the potential consequences of the personal data breach.
The controller should notify the personal data breach to the supervisory authority unless it can demonstrate that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. In this case, the controller has the obligation to document the data breach internally, containing facts relating to the personal data breach indicating that there is no risk to the rights and freedoms of natural persons.