In the event of a breach of personal data protection, which is likely to lead to a high risk to rights and freedoms of natural persons, the Controller shall without undue delay notify the personal data breach to the data subject.

The notification to the data subject shall contain a clear and simple description of the nature of the personal data breach, as well as information and measures at least as follows:

• name and contact details of the responsible person or other contact point where more information can be obtained;
• description of likely consequences of the personal data breach;
• description of measures taken or proposed by the controller to remedy the personal data breach, including measures to mitigate its potential adverse consequences, if necessary.

This notification is not required if:

• The Controller has taken appropriate technical and organizational protection measures and applied them to the personal data concerned by the personal data breach,
• The Controller has taken follow-up measures to ensure that the high risk to the rights and freedoms of the data subjects is unlikely to have any consequences;
• It would require a disproportionate effort; in such a case, the Controller shall inform the public or take other measures to ensure that the data subject is informed in an equally effective manner.