Guide for Notification of Data Security Breaches
Gstaad Palace
1. Purpose and Basis
This guide (Guide) contains provisions for handling data security breaches and notifying the competent data protection authority and data subjects at Gstaad Palace (Company). The Guide provides employees with the fundamental basics for handling data security breaches and, together with other measures and documents, enables them, in collaboration with the data protection coordination unit, to promptly react to data security breaches. The specific responsibilities are described in detail in Section Error! Reference source not found. of this Guide
The Guide is based on the requirements of the Swiss Federal Act on Data Protection (FADP) and the EU General Data Protection Regulation (GDPR).
In addition to this Guide, the data protection coordination unit may have to adopt country-specific rules and take them into account.
2. Objective of this Guide
This Guide outlines how to respond to data security breaches within the Company and aims to ensure that the necessary notification to the competent data protection authority is made as soon as possible after the data security breach is established As a general rule, the notification must be made within 72 hours after establishing the data security breach
3. Scope
This Guide applies to all employees of the Company who process personal data, are potentially involved in data processing activities, or establish data security breaches. Within the scope of their employment relationship, employees are obliged to comply with all applicable data protection laws as well as with this Guide
4. Definitions
The applicable data protection law defines several important terms. In general, the following terms have the same meaning as defined in the FADP
The definition of personal data is especially relevant:
Personal data
Definition Personal data means all information relating to an identified or identifiable natural person (e.g., name, address, location data, and, where applicable, online identifiers such as device ID, cookie ID, IP address, RFID tags, etc.).
Sensitivity
Sensitive personal data
Personal data of the following categories: data on religious, ideological, political or trade union-related views or activities; data concerning health, intimate sphere, or racial or ethnic origin; genetic data; biometric data that uniquely identify a natural person; data concerning administrative or criminal proceedings and sanctions; data concerning social security measures.
"Persons" refers to natural persons and not legal entities. Information about a contact person of a supplier or another company in B2B relationships is also considered personal data.
A data security breach occurs when personal data is accidentally or unlawfully lost, deleted, destroyed, altered, or unauthorisedly disclosed or accessed. In other words, a "security incident" occurs when the confidentiality, integrity, or availability of personal data is temporarily or permanently compromised.
5. Data Security Breaches and their Effects
As the above definition indicates, a data security breach results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, access to, or sharing of personal data. This includes not only intentional breaches, but also those that are caused accidentally or unintentionally. Furthermore, a data security breach is not limited to the loss of personal data but also encompasses, for example, unauthorised alteration or access to personal data.
Examples of data security breaches include:
- unauthorised access to personal data by a third party (e.g., hacker attacks));
- sending personal data to an inappropriate recipient (e.g., sending via email);
- loss or theft of data processing devices containing personal data (e.g., loss of a company mobile phone or laptop);
- alteration/processing of personal data without permission; and
- loss of availability of personal data (e.g., non-availability of cloud service).
A data security breach, if not addressed in a timely and appropriate manner, may lead to physical, material, or non-material damage to data subjects. Examples of such damage are:
- loss of control over their personal data or limitation of their rights
- discrimination;
- identity theft or misuse
- financial loss;
- unauthorised reversal of pseudonymisation;
- damage to reputation; or
- loss of confidentiality of personal data protected by professional secrecy.
6. Obligations upon Establishing a Data Security Breach
Each employee has the following obligations when they establish a data security breach or suspect that such a breach has occurred:
- to document the data security breach (its time and date) as well as any supporting evidence (e.g., emails, screenshots, etc.) without undue delay
- to notify the data protection coordination unit without undue delay;
- to notify the IT department without undue delay to ensure prompt documentation of the data security breach using appropriate means, such as:
o describing the breach;
o taking screenshots;
o collecting protocols or log files;
o saving email correspondence, etc;
o taking risk mitigation measures in collaboration with the data protection coordination unit
It may be necessary to conduct further investigation to determine the exact cause of the data security breach. This investigation shall be led by the data protection coordination unit and
documented using the questionnaire provided in Annex 1. If necessary, external service providers may be engaged to assist with the investigation.
7. Schedule and Obligation for Notification of a Data Security Breach
7.1 Timing
A notification of a data security breach must be submitted to the competent data protection supervisory authority as soon as possible, but no later than within 72 hours from the discovery of the breach
Awareness of a data security breach exists when it is established with reasonable certainty that a data security breach has occurred, resulting in a risk to personal data.
Examples:
1. In the case of a loss of a USB stick containing unencrypted personal data, it is often not possible to establish whether unauthorised persons have accessed this data. However, even if the company cannot establish whether a breach of confidentiality has occurred, there is a reasonable degree of certainty that a breach of availability has occurred. The company would become "aware" when it discovers that the USB stick has been lost.
2. A third party informs a company that it has accidentally received personal data of a customer from the company and provides evidence of the unauthorised disclosure. Since the company has been provided with clear evidence of a breach of confidentiality, it has become "aware."
3. A company discovers that there may have been an intrusion into its network. The company checks its systems to establish whether any personal data contained in that systems has been compromised, and confirms that it has. Since the company has clear evidence of a breach of integrity, it has become "aware."
4. A cybercriminal contacts the company after hacking its system to demand a ransom. In this case, after the company checks its system to confirm the attack has taken place, it has clear evidence that a data security breach has occurred and has become "aware."
Companies are obliged to take all appropriate technical and organisational measures to determine without undue delay whether a data security breach has occurred. The Company is thus obliged to ensure that it becomes "aware" of any breaches in a timely manner.
Notification in Phases
Depending on the nature of the data security breach, further investigation may be required by the Company to gather all relevant facts related to the incident. Not in every case will all the necessary information be available within 72 hours after becoming "aware" of a data security breach. As such, a notification in phases is permissible. This will primarily be the case for large-scale data security breaches, such as cyber security incidents, where a thorough forensic investigation is
necessary to fully assess the extent to which personal data has been compromised. The company must inform the data protection authority about the notification in phases and provide justification for it.
Delayed Notifications
If the notification to the supervisory authority is not made within 72 hours, it must be accompanied by a justification for the delay. This rule, along with the concept of notification in phases, acknowledges that a company may not always be able to notify a data security breach within the specified timeframe and that delayed notification may be permissible.
This could be the case, for example, when a company experiences several similar data security breaches within a short period of time, that affect a large number of data subjects in the same manner.
As a general rule, each individual data security breach is a notifiable incident. Yet, the European data protection authorities acknowledge that companies may submit a "bundled" notification to avoid overload The requirement, however, is that such data security breaches pertain to the same type of personal data and have occurred in the same manner within a relatively short period of time. If there are a number of data security breaches involving different types of personal data or occurring in different manners, then each incident should be notified separately.
7.2 Notification to the Data Protection Authority
GDPR
The GDPR requires that every data security breach be reported to the data protection authorities, if it cannot be ruled out that the breach will not have a negative effect on the data subjects. A specific risk assessment is therefore not required.
FADP
The FADP, in deviation from the GDPR, stipulates that the notification to the data protection authority is necessary if the data security breach is likely to result in a high risk to the privacy and the fundamental rights of the data subject. Annex 4 provides examples that constitute a "high risk". They serve as an illustration of when a notification to the data protection authorities is required according to the FADP. In addition, the following explanations also help with the risk assessment.
Assessment of risk in case of data security breach
The risk is assessed based on the combination of the probability and severity of a particular event. The company must conduct an objective assessment of the risks. It is helpful to use a structured matrix to consider the probability and severity of risks. If a data security breach has occurred, the probability and severity of the resulting risk to the privacy or fundamental rights of the data subject should be analysed and documented using the following risk assessment matrix.
Each breach must be assessed on a case-by-case basis, taking into account all relevant factors. If the assessment leads to the decision that a data security breach must be notified to the appropriate data protection authority, the final decision regarding notification must be made by the (hotel) management.
7.3 Notification to Data Subjects
GDPR
The GDPR requires that a data security breach be notified to data subjects if the breach is likely to result in a high risk to their rights and freedoms. Annex 4 provides guidance on when a notification to data subjects must be made.
In terms of risk assessment, the preceding matrix is also helpful. A data security breach may have a range of negative effects on data subjects, including, among other things emotional distress and physical or material damage. Data security breaches may significantly impact the data subjects whose personal data has been compromised. Therefore, each breach must be assessed on a case-by-case basis, taking into account all relevant factors. If the assessment leads to the
conclusion that a data security breach must be notified to the competent data protection authority, the final decision regarding notification must be made by the hotel management.
DSG
The FADP requires that a data security breach be reported to the data subjects if, cumulatively, the breach is likely to result in a high risk to the privacy or fundamental rights of data subjects and it is necessary for their protection or the FDPIC requires it. Regarding the first requirement, reference can be made to the provisions on notification to the data protection authority as per the FADP. The second requirement is met if the risk can be either eliminated or mitigated by providing the information to the data subjects (Annex IV provides examples of when notification to the data subjects must be made).
Notification to the data subjects is particularly necessary when there is an immediate risk of damage that needs to be mitigated. One of the main reasons for informing the data subjects is to assist them in taking measures to protect themselves from the consequences of a data security breach, such as changing their login credentials or passwords.
If the assessment leads to the conclusion that the data subjects must be informed about the data security breach, the final decision regarding notification must be made by the (hotel) management.
8. Procedures for Internal Notification of a Data Security Breach
A data security breach can be detected by any employee within the Company. In the first step, employees who discover an incident must immediately contact the data protection coordination unit and document the discovered breach (at least, its tame and date, along with any additional information for securing evidence). The data protection coordination unit then takes over the case and provides support and guidance to the employees.
The data protection coordination unit informs the (hotel) management without undue delay, documents the data breach (see Annex 1), and assesses the need for notifying the competent data protection supervisory authority about the data security breach. If the data protection coordination unit determines that a notification of the data security breach is necessary, it compiles the necessary information for the (hotel) management to decide whether the breach should be notified. Following the (hotel) management's decision, the data protection coordination unit prepares and submits the notification (see Annex 2 and/or Annex 3).
In general, the procedure in case of a data security breach includes the following steps:
1 The Company discovers or becomes aware of a security incident and determines whether personal data is involved. The company becomes "aware" of a personal data
breach and assesses the risk to data subjects.
2 Documenting the data breach (its time and date) and securing of evidence
3 Informing the data protection coordination unit
4 Reviewing the documentation of the employee(s) and deciding on the implementation of measures. Assessing the risk of the data security breach for the data subjects.
5 Determining whether a notification of the data security breach is required. Considering the different notification thresholds under the FADP and GDPR. Documenting the breach and obtaining approval from the (hotel) management.
6 Preparing and submitting the data security breach notification to the data protection authority
7 If necessary, preparing and sending the data security breach notification to the data subjects
Employees Immediately after discovery of the breach
Employees Immediately after discovery of the breach
Data protection coordination unit Immediately
Data protection coordination unit
(Hotel) Management Immediately
Data protection coordination unit No later than 72 hours after the discovery of the data breach
Data protection coordination unit Without undue delay after notification to the supervisory authority
8 Documenting the incident and the notification Data protection coordination unit Immediately
9 Reviewing the incident and proposing measures to the (hotel) management to prevent similar incidents
Data protection coordination unit
After the incident is over
Employees must inform the data protection coordination unit as soon as they discover or suspect a data security breach. It is important to document the date and time of the discovery of the breach to ensure that the notification to the competent data protection supervisory authority can be made as soon as possible, generally within 72 hours. The data protection coordination unit shall inform the (hotel) management to decide whether a breach must be notified. In addition, the appropriate measures shall be taken by the data protection coordination unit in collaboration with other departments.
9.
Form of Notification of a Data Security Breach
If the analysis shows that a data security breach must be notified to the competent data protection supervisory authority (see Error! Reference source not found.) and the (hotel) management, in consultation with the data protection coordination unit, has decided to notify the data breach, the template form provided in Annex 2 should be used. The completed form shall be sent to the competent data protection supervisory authority, and a copy thereof shall be archived.
If the analysis of a data security breach shows that the data subjects must be notified (see Error! Reference source not found.) and the (hotel) management, in consultation with the data protection coordination unit, has decided to notify the data subjects, the template form provided in Annex 3 should be used. The completed form shall be sent to each data subject, and a copy thereof shall be archived.
10.
Additional Useful Information
Illustrative examples can be found in Annex 4 of this Guide
11. Responsibilities
11.1
(Hotel) Management
The (hotel) management establishes the overall framework for notifying data security breaches to the competent data protection supervisory authority and ultimately decides whether to make a notification. It appoints a data protection officer - the data protection coordination unit - who acts as the lead, advisory, and controlling body for data security breach notifications.
11.2
Supervisors
Supervisors at all levels are responsible for enforcing and complying with data protection regulations within their areas of responsibility. They collaborate with the data protection coordination unit, to provide training and awareness to their employees. They act as role models and encourage employees to comply with data protection measures.
11.3 Employees
Each employee must ensure that they inform the data protection coordination unit of any data security breach without undue delay, document the discovered breach, and secure evidence.
Employees are required to follow the instructions provided by the data protection coordination unit In addition, employees are obliged to regularly participate in data security training sessions.
11.4 Data Protection Coordination Unit
The Company appoints a data protection coordination unit. The data protection coordination unit is the central point of contact for questions relating to data protection and data security and is also responsible for notifying the competent data protection supervisory authority of any data security breach on the basis of a (hotel) management decision in each individual case. It can be contacted via fbm@palace.ch or telephone 861
The data protection coordination unit is responsible for documenting the notifications of data security breaches to comply with accountability standards. It shall ensure that the documentation related to completed notifications is retained for a minimum of two years. Furthermore, the data protection coordination unit is responsible for assessing data security breaches in collaboration with other departments after the occurred incident and, if necessary, proposing necessary measures to the (hotel) management in order to prevent the occurrence of similar incidents.
12. Sanctions
Violations of this Guide may result in disciplinary measures and/or civil and/or criminal proceedings.
13. Final Provisions
13.1 Amendments and Supplements
This Guide may only be amended, supplemented or rescinded by written resolution of the (hotel) management. Any addition, deletion or modification of individual provisions shall qualify as an amendment or supplement. Corrections of a formal nature are excepted from this.
13.2 Additional Documents
This Guide is the basis for ensuring that notifications of data security breaches are made when necessary The guide can be used as a basis for developing other documents that are required in connection with the processing of personal data, in particular user-specific or department-specific guides
13.3 Integrated Annexes
The following Annexes are an integral part of this Guide:
Annex 1: Questionnaire for Documenting Data Security Breaches
Annex 2: Notification form (data protection supervisory authority)
Annex 3: Notification form (data subjects)
Annex 4: Illustrative examples
In case of any discrepancies, this Guide is prevailing.
13.4 Miscellaneous
This Guide shall be available to all employees via the Company's existing instruction system or via other channels as determined by the data protection coordination unit
Amendments or supplements to this Guide shall become effective at the moment of publication on https://issuu.com/gstaadpalace/docs/guide_for_notification_of_data_security_breaches_e?fr=xKAE9_-Dt8g
13.5 Effective Date
This Guide shall become effective on Monday, 13th January 2025.
Annex 1
Questionnaire for Documenting Data Security Breaches
This Annex must be completed by the data protection coordination unit. The completed Annex must be retained to fulfil the data protection accountability requirements. Every data security breach, except for minor incidents, must be documented regardless of the level of risk to the data subjects. The assessment of risks should be based on this questionnaire and the risk identification matrix (see Section Error! Reference source not found. of the Guide). In the end, this assessment can be transferred to any specific tool used for documenting cyber incidents (e.g., OneTrust or ZOA-GDPR) to keep a record of the data breach and the decision made in the individual case However, this documentation must be done regardless of the use of such tool
Description of the data security breach
(What happened? How did the data security breach occur and under what circumstances? etc.)
Date and time of the data security breach
Which personal data is affected?
Are sensitive personal data affected (e.g., health data, etc.)?
Description of the probable consequences of the data security breach
Number of data records concerned
Number of data subjects concerned
Description of the measures taken
1. Responsibility:
Function
Responsible person at the data protection coordination unit
Data protection officer (if applicable)
Person responsible for the notification
Name and department
Please note: When reporting data security breaches to the competent data protection authority, the data protection coordination unit must be involved. The decision whether to report a data security breach to the competent data protection authority must be made by the (hotel) management.
2. Notification if the Company is a Data Processor
If the company is a processor and a data security breach has been discovered, the above information must be provided to the controller without undue delay. Yet, Sections 1 and 3 do not need to be completed or submitted to the controller.
Notification sent to the controller on/by::
3. Validation Scheme
Does the data security breach result in a risk to data subjects and must the data protection supervisory authority therefore be notified?
Yes No
Notification to the supervisory authority is not required if the data breach is likely not to result in a high risk for the data subject.
Justification and decision:
Must the data subjects be informed?
Yes No
Informing the data subjects is always required if it is necessary for their protection or required by the competent data protection supervisory authority. Informing the data subjects is not (or no longer) necessary if appropriate technical and organisational measures are in place that make unauthorised access to the personal data concerned practically impossible (e.g., encryption). Informing may also be waived if effective measures have been taken to limit the damage. As a rule, informing the data subjects should be made if the information gives the data subjects the opportunity to effectively minimise the damage through their own measures (e.g., by blocking the credit card, changing a password, etc.).
Justification and decision:
Notification required?
Date and time of the notification
The notification must be made as soon as possible, but in principle no later than 72 hours after the data breach has been discovered.
If this deadline cannot be met, please provide a detailed justification.
Signature of the responsible person at the data protection coordination unit
Approval of the (hotel) management
Annex 2
Notification Form (Data Protection Supervisory Authority)
For a notification of a data security breach to the FDPIC, the FDPIC's notification platform must be used. It is available at: https://databreach.edoeb.admin.ch/report
For a notification to other data protection authorities, unless the respective data protection authorities prescribe other forms, the following form must be used.
1. Address of the data protection supervisory authority
2. Name and contact information of the data controller
3. Name and contact information of the responsible person at the data protection coordination unit
4. Description of the data security breach
5. Date, time, and duration of the data security breach (and, if applicable, a justification as to why the notification was made after the 72-hour time limit)
6. Which personal data are concerned?
e.g , contact information, credit card information, etc.
7. Description of the possible effects and risks of the data security breach for the data subjects
8. Categories of personal data and number of data records concerned
9. Categories and number of data subjects
10. Description of the measures taken to mitigate the consequences and risks
Annex 3 Notification Form (Data Subjects)
1. Address of the data subject
2. Name and contact details of the responsible person at the data protection coordination unit
3. Description of the data security breach and the personal data concerned
4. Description of the possible effects and risks of the data security breach for the data subjects
5. Description of the measures taken to mitigate the consequences and risks
6. Measures that the data subject can take
Annex 4
Illustrative Examples
The following examples help to determine whether it is required to notify the supervisory authority and/or inform the data subjects in various scenarios: Example
Notification to the competent supervisory authority?
A hotel has stored the backup copy of an archive containing personal data in encrypted form on a USB stick During a break-in, the USB stick is stolen.
A hotel provides an online service. The service falls victim to a cyber attack, and as a result, personal data is compromised.
Yes, the incident must be notified to the supervisory authority if consequences for the data subjects are to be expected.
Notification to the data subject?
Comments
As long as the data is encrypted using a state-of-the-art algorithm, data backups exist, the unique key has not been compromised, and the data can be restored in a timely manner, it is probably not a notifiable data breach. However, if a compromise occurs later, notification is required.
Yes, the data subjects must be notified, depending on the nature of the compromised personal data and if serious consequences for the data subjects are to be expected.
In the call centre of a hotel, there is a short power outage lasting several minutes, resulting in customers being unable to reach the hotel and access their documents. No No
This is not a notifiable data breach, but the incident is still subject to documentation.
A hotel falls victim to a ransomware attack in which all data is encrypted. There are no backups available, and the data cannot be restored. An investigation reveals that the ransomware was used exclusively for data encryption and no other malware was present in the system.
Yes, the incident must be notified to the competent supervisory authority if consequences for the data subjects are to be expected because it involves a loss of data availability.
Yes, the data subjects must be notified, depending on the nature of the compromised personal data, the possible impact of the data unavailability, and other likely consequences.
If a data backup had been available and the data could have been restored in a timely manner, the notification to the supervisory authority and the data subjects would not have been necessary, as there would have been no permanent loss of data availability or confidentiality.
A hotel operates an online marketplace with customers in several countries. After a cyber attack on the marketplace, the attacker publishes usernames, passwords, and purchase history on the internet.
A web hosting company acting as a processor discovers that the code controlling user authorisation contains an error. Due to the error, any user is able to access the account data of all other users.
Yes, incidents involving cross-border processing must be notified to the competent supervisory authority(ies).
Yes, because the incident could pose a high risk and the notification is necessary to protect the data subjects.
As a processor, the web hosting company must notify its affected customers (the controllers) without undue delay.
Assuming that the web hosting company has conducted its own investigation, the controllers concerned should have sufficient certainty as to whether a data breach has occurred in their specific case so that it can be presumed that they become "aware" of the
If there is likely to be no high risk to the data subjects and no need for protection, they do not need to be notified.
The company should take measures, for example, by requiring passwords to be reset for the affected accounts, and take other steps to mitigate the risk.
The web hosting company (the processor) must also take into account other reporting obligations.
Unless there is evidence that the vulnerability has been exploited by one of the controllers, a reportable data breach may not have occurred.
A direct marketing email is sent to recipients in the "To..." or "Cc..." fields so that the recipients' email addresses are visible to all recipients.
data breach with the notification by the web hosting company (the processor). In that case, the controller must notify the data breach to the supervisory authority.
Yes, the notification to the supervisory authority may be mandatory if a very large number of persons are affected, sensitive data is disclosed (e.g., the mailing list of a psychotherapist), or if other factors pose a high risk (e.g., the email contains the original passwords).
Yes, the data subjects must be notified, depending on the scope and nature of the personal data and the severity of the possible consequences.
Notification may not be required if no sensitive data is disclosed and only a small number of email addresses is visible.