Data Breach Policy


Director General, Mindbox Ltd.

“13” August 2021

Data Breach Policy

  1. Subject Matter and Purpose

    This Policy sets out the obligations of Mindbox Ltd. (“the Company”) regarding the handling and reporting of data breaches and personal data breaches in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”).

    For the purpose of this Policy “data breach” as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed which poses a threat to the security, integrity, confidentiality, or availability of data.

    Data Breach to which this Policy applies may include, but not be limited to:

    • the loss or theft of a physical data record;

    • the loss or theft of computer equipment (e.g. laptop), mobile devices (e.g. smartphone or tablet), portable data storage devices (e.g. USB drive), or other data storage devices;

    • equipment failure;

    • unauthorised access to, use of, or modification of data (or inadequate access controls allowing unauthorised access, use, or modification);

    • unauthorised disclosure of data;

    • human error (e.g. sending data to the wrong recipient);

    • unforeseen circumstances such as fire or flood;

    • hacking, phishing, and other “blagging” offences whereby information is obtained by deception.

    This Policy applies to all staff of the Company.

    The Policy applies to all data breaches, both confirmed and possible.

    This Policy applies to all data breaches within the Company and is intended for quick response to it, determining whether it is necessary to notify the supervisory authorities of the Member States of the European Union (hereinafter referred to as the “EU”), notifying data subjects about the data breach and minimizing harm from it to data subjects.

    Data Protection Officer responsible for the implementation of this Policy, for overseeing the handling of all data breaches, and for ensuring that this Policy is adhered to by all staff.

  2. Policy Objectives

    The objectives of the Policy are

    • organization of a prompt response to data breach, effective notifying personal data subjects about data breach;

    • determination the need to report about data breach to the supervisory authorities of the EU member states in the field of data protection;

    • determination of methods for informing subscribers’ objects about data breach;

    • minimizing the harm from data breach for personal data subjects

  3. General rules for reporting about data breach

    If the Company becomes aware of a data breach, then it will:

    • determine the level of risk of the data breach;

    • immediately take reasonable measures to minimize harm and protect the personal data subjects data;

    • if the risk level of the data breach is determined to be high, then the Company will report to the supervisory authority;

    • notify personal data subjects of the data breach without undue delay

    The notification to the supervisory authority and notification of the data subjects should describe the details of the data breach, including steps taken to reduce potential harm to the subscribers’ objects and steps which the Company recommends that the subscribers’ objects take to reduce their harm

  4. Notification Procedure

    1. General rules

    2. Data protection officer determines whether it is necessary to notify one or all parties of a data breach:

      • data subjects concerned;

      • supervisory authority.

    3. Data subjects’ notification procedure

    4. When considering whether (and how) to notify personal data subjects about a data breach, the following should be considered:

      • the likelihood that the rights and freedoms of personal data subject set forth in the GDPR will be negatively affected;

      • whether there is a legal or contractual requirement for notification;

      • whether appropriate measures have been taken to protect the affected personal data (for instance, pseudonymization or encryption), which makes the data unsuitable for unauthorized use;

      • whether appropriate measures have been taken after the data breach that exclude or minimize the occurrence of a high risk for the rights and freedoms of the affected personal data subjects;

      • advantages for personal data subjects in receiving notifications (for instance, providing them with the opportunity to reduce the risks related to data breach);

      • whether the notification of individuals is connected to disproportionate efforts (in this case, a public message or other widely available notification may be sufficient, provided that the affected personal data subjects are still effectively informed);

      • the best way to notify personal data subjects, taking into account the urgency of the situation and the security of possible methods;

      • any specific conditions applicable to certain categories of personal data subjects (for example, children or vulnerable people);

      • information that should be provided to affected personal data subjects;

      • how to make personal data subjects easily contact the Company to learn more about the data breach;

      • further assistance that the Company should provide to affected personal data subjects, where it is appropriate;

      • risks of excessive notification — not all data breaches require notification, and excessive notification can lead to resource costs, a disproportionate number of requests from individuals

      If data subjects need to be informed of a data breach, their notification shall be made without undue delay.

      The following information is provided to data subjects in the Data Breach Notification (Appendix 1):

      • an understandable description of the data breach, including how and when it happened, personal data and possible consequences;

      • clear and certain advice, where it is appropriate, on measures that people can take to protect themselves;

      • a description of the measures taken by the Company and / or proposed to be taken by personal data subjects to eliminate data leakage;

      • contact details of the data protection officer, from whom victims can obtain additional information about the data breach.

    5. Supervisory authority notification procedure

    6. When considering whether (and how) to notify the supervisory authority of a data breach, the following indicators should be considered:

      • level of risk and potential harm to personal data subjects, their rights and freedoms, where harm may include (but not limited to) financial loss, physical harm, loss of control over personal data, discrimination, theft or fraud, damage to reputation, emotional stress;

      • the amount of personal data affected — the supervisory authority should be reported to if a large amount of data is involved and there is a real risk that the personal data subjects will suffer as a result of the data breach, but it may also be useful to report to the supervisory authority if less amount high-risk data is involved;

      • confidentiality of the data affected — the higher the confidentiality of personal data, the smaller their amount and, if the data breach poses a significant risk to personal data subjects suffering or having significant damage, the supervisory authority should be reported to

      Due to the fact that the Company does not have a leading supervisory authority, then, if it is necessary to report to the supervisory authority about the data breach, the supervisor of the EU member state is reported to, in which more than half of the subscribers’ objects affected by the data breach is located

      If it is not possible to determine the citizenship of the personal data subjects affected by the data breach to the EU Member State without requesting additional information from them, the Company shall notify the supervisory authority of the Netherlands.

      If the supervisory authority is to be reported to about the data breach, it should be done within 72 hours of the data breach detection. This deadline applies even if full details of the data breach are not available yet.

      The following information should be provided to the supervisory authority

      • description of the nature of the data breach, including, if possible, the category or categories and the approximate number of data subjects whose personal data is affected by the data breach, as well as the category or categories and the approximate number of personal data records affected;

      • name and contact details of the data protection officer, from whom the supervisory authority can obtain additional information about the data breach;

      • a description of possible consequences of the data breach;

      • a description of the measures taken (or proposed) to eliminate the data breach, including, where it is appropriate, the measures taken to mitigate any possible negative effects;

      Each data breach shall be recorded on the Data Breach Register (Appendix 2), regardless of whether a report is required. The decision-making process for reporting should be recorded on document

  5. Procedure of internal reporting about data breach

    1. General provisions on internal reporting about data breach

    2. If a data breach is detected or suspected, an employee or employees who identified it must complete the Data Breach Report (Appendix 3) and send it to the personal data protection inspector by

      The completed Data Breach Report Form should include complete and accurate information about the data breach, including (where applicable):

      • Date and time of the data breach

      • Date and time the data breach identified

      • Category(s) of personal data concerned

      • Category(s) of data subjects concerned

      • Sensitive categories of personal data concerned

    3. To do list after receiving a Data Breach Report

    4. After receiving the Data Breach Report Form, data protection officer should start by determining whether a data breach is currently occurring. If this is the case, appropriate steps should be taken immediately to minimize the impact of the data breach and prevent it.

      Having established the above, the following steps should be taken in relation to the data breach:

      • conduct an initial assessment of the data breach, liaising with relevant employees and departments where necessary to determine the severity of the data breach;

      • to the extent practicable, restore, modify, or restrict the availability (for example, by changing or revoking access permissions or temporarily creating inaccessible data in electronic form) of the affected data;

      • determine whether further actions can be taken to recover data and / or other losses, as well as to limit the damage caused by the data breach;

      • determine who needs to be notified initially (including law enforcement agencies if physical records or equipment were lost or stolen) as part of the initial localization;

      • determine, together with the relevant employees and departments, actions to address the data breach; and

      • register the data breach and the initial steps taken above in the Data Breach Register.r

      After completing the initial steps described above, data protection officer proceeds to investigate and evaluate the data breach.

    5. Investigation and Assessment

    6. Data protection officer shall begin an investigation of a data breach as soon as is reasonably possible after receiving a Data Breach Report Form (or being notified in any other way) and, in any event, within 24 hours of the data breach being discovered and/or reported

      Investigations and assessments must take the following into account:

      • the category(s) of data concerned (and, in particular, whether the data is personal data or sensitive personal data);

      • the sensitivity of the data (both commercially and personally);

      • what the data breach involved;

      • what organisational and technical measures were in place to protect the data;

      • what might be done with the data as a result of a breach (including unlawful or otherwise inappropriate misuse);

      • where personal data is involved, what that personal data could tell a third party about the personal data subjects to whom the data relates;

      • the category or categories of personal data subjects to whom any personal data relates;

      The findings of the investigation and assessment described above must be recorded in the Company’s Data Breach Report.

      Having completed the investigation and assessment described above, data protection officer shall determine the parties to be notified of the data breach.

    7. Evaluation and Response

    8. When the steps set out above have been completed, the data breach has been contained, and all necessary parties notified, data protection officer shall conduct a complete review of the causes of the data breach, the effectiveness of the measures taken in response, and whether any systems, policies, or procedures can be changed to prevent data breaches from occurring in the future.

      Such reviews shall, in particular, consider the following with respect to data (and in particular, personal data) collected, held, and processed by the Company:

      • where and how data is held and stored;

      • the current organisational and technical security measures in place to protect data and the risks and possible weaknesses of those measures;

      • the methods of data transmission for both physical and electronic data and whether or not such methods are secure;

      • the level of data sharing that takes place and whether or not that level is necessary;

      • whether any Data Protection Impact Assessments need to be conducted or updated;

      • staff awareness and training concerning data protection

  6. Policy Review and Implementation

    This Policy shall be deemed effective from the moment it is approved by the Company’s Director General.

    This Policy will be updated as necessary in accordance with EU legislation in the field of personal data protection, taking into account the official explanations of the European Data Protection Board (EDPB) and current best practices.

    All questions and comments related to this Policy should be sent to the #legal department by