Data breach management policy
Below you can find the 'Policy for the management of personal data security incidents (data breaches)', approved by Decree of the General Director No. 743/2018, protocol No. 58094 of 22 October 2018.
The Policy provides a procedure to be followed when a personal data breach occurrs, namely 'a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed'. The Policy also addresses the circumstances that lead to the obligation for the University, in its capacity as Data Controller, to notify the Data Protection Authority and the affected individuals as required by articles 33 and 34 of EU Regulation 2016/679 (GDPR).
The Policy's introduction includes information on the purpose and scope of the document, definitions as well as a description of the types of data breach. The Policy, then, describes the security measures adopted by the University as well as the procedure to deal with a data breach, which goes from the investigative actions to be taken to detect the security incident to the notification to the competent Data Protection Authority and affected individuals. Moreover, the Policy includes details on the risk assessment methodology used, on the data breach register as well as on the responsibilities deriving from the violation of the procedure described in the Policy. Finally, the Policy provides examples of data breaches with the risk associated with them and the related obligation to notify the same.
|Data breach management policy|
Publication date: 25/10/2018
Last update: 26/11/2021