(Reading time: 2 - 3 minutes)

Undue delay under the GDPR

In cases where the processor has to respond to a data subject they must do so without undue delay. Meaning that even though a time limit has been set of 30 days for instance, you still may not unnecessarily take your time responding to the data subject.


When must you respond without undue delay?

As a controller to a data subject

  1. The controller should communicate to the data subject a personal data breach, without undue delay, where that personal data breach is likely to result in a high risk to their rights and freedoms in order to allow him or her to take the necessary precautions. Fine: approximately € 525.000,-
  2. Requests of Data subjects who want to exercise their rights. Fine: approximately € 525.000,-

As a processor to a controller

Once a data breach has been discovered by the processor, the processor should inform the controller without undue delay. Often times you’ll see in processing agreements that the processor has 72 hrs to inform the controller. But why accept that?! Yes, they might not have all the information that is helpful to you as a controller but you’d need to be able to take action if needed or at a minimum scramble some employees together to roll out a contingency plan or mitigation plan or other precautions. And since you are the controller YOU decide. So, my advice to you is to make sure that the processor only has 24hrs to inform you after they become aware. The faster you know about a breach the lesser the impact on data subjects are if the information is out there for the grabbing. Also, as seen above, they need to be able to take necessary precautions (such as password change, etc). Fine: approximately € 525.000,-

As a controller to a Data Authority

Notification of a personal data breach to the supervisory authority withing 72 hours after becoming aware. This does not mean you need to have ALL the answers. You need to inform them. And having a good risk management will help you assess whether the impact on data subjects is high or not. Giving that information at a minimum will help the Data Authority know what steps to take. You’ll have more time to get your things in order (without undue delay of course!), but you must at least inform them within 72 hrs of becoming aware. Fine: approximately € 525.000,-