Personal data breach: safety and security

A personal data breach happens every day. In today’s digital age, personal data has become an extremely valuable asset, but at the same time the target of numerous threats. From financial information to private communications, our data is constantly collected, processed and stored. The European Union’s General Data Protection Regulation (GDPR) lays the foundation for protecting this data, but understanding the risks and protection mechanisms is crucial for every individual and organization. This blog aims to shed light on how the security of personal data can be compromised, what the methods of the breach are, how we can protect ourselves and who is responsible and what remedies are available in the event that a breach does occur.

I. Introduction: Risks lurk – How is the security of personal data compromised and what are the methods of breach?

The security of personal data is constantly being tested in the digital environment. Understanding how data can be compromised and the methods used by attackers is the first step towards effective protection.

A. Ways of compromising the security of personal data

Personal information can be compromised in a variety of ways, reaching far beyond sophisticated hacking attacks. Often these are the consequences of human errors, technical defects or even natural events. Data security can be compromised through hardware, software, communication channels, or even physical documents.

Specific examples of threats include:

• Improper Use: This may include abuse of access rights by authorized persons or handling an error that leads to the disclosure of information.
• Modification: Data can be altered without permission, for example by installing malware such as keyloggers that record keystrokes, or other types of software or hardware traps.
• Loss: The physical loss of devices such as laptops or USB sticks that store unprotected data is a common cause of breaches.
• Observation: Unauthorized screen observation or geolocation tracking of the device also poses a risk.
• Deterioration: Vandalism or natural deterioration of the storage media can lead to data loss or corruption.
• Overload or unavailability: Denial-of-service (DDoS) attacks can make data inaccessible, while ransomware can encrypt data and demand a ransom to restore it.

The General Data Protection Regulation (GDPR) requires controllers and processors to assess the risks associated with processing, such as accidental or unlawful destruction, loss, alteration, and unauthorized disclosure of or access to personal data.  It is important to understand that threats can be both intentional, such as targeted attacks, and accidental, resulting from day-to-day operations or the human factor within the organization. Therefore, the security of personal data is not compromised solely by external malicious actors; Internal omissions, coincidences, or inadequate handling of data pose an equally significant risk. It follows from this that a comprehensive data protection strategy must address multiple threat vectors, including technical, physical and human aspects, as data resides on different media and is processed through different channels.

B. Methods of personal data breach

Attackers use a variety of methods to get their hands on personal information. These methods are becoming more sophisticated and often target the human factor as the weakest link in the security chain.

• Phishing and Social Engineering:
   Phishing is one of the most widespread techniques, which involves sending fake emails that appear to come from legitimate sources, such as banks or popular online services. The goal is to trick the victim into clicking on a malicious link and entering their sensitive information (usernames, passwords, credit card numbers) into the fake website. Social engineering is a broader term that encompasses various psychological manipulation techniques to get people to disclose confidential information or perform certain actions. Attackers often create a sense of urgency or impersonate themselves as trustworthy. The GDPR recognizes these risks and instructs controllers to take appropriate safeguards.
• Malware (Malware):
  This is an umbrella term for different types of malware, including viruses, worms, Trojan horses, spyware (spyware), keyloggers (which record keyboard input), and ransomware (ransomware). Malware can reach a device through infected email attachments, downloads from untrusted sites, or by exploiting security vulnerabilities. Once installed, it can steal data, damage the system, or make it inaccessible.
• Hacking:
  Hacking entails unauthorized access to computer systems, networks, or data by exploiting technical vulnerabilities in software or hardware. While the GDPR does not directly define “hacking,” the concept of “unauthorized access” to personal information covers this method.
• Internal threats:
  Danger does not always come from the outside. Malicious or negligent actions by employees or other persons who have legitimate access to data (e.g. “abuse of rights” or “error handling”) can lead to serious breaches. The human factor is often the most critical point in data security, so employee awareness and education is crucial.
• Accidental disclosure of data:
  Violations can also occur due to unintentional errors, such as sending an e-mail with sensitive information to the wrong recipient, the loss of unprotected portable devices such as USB sticks 1, or inadequate destruction of paper documents containing personal information. Such “accidental” incidents underscore the importance of established procedures and care in everyday data handling.1

Given the increasingly sophisticated methods of attack that often target human inattention or ignorance, it is becoming clear that technical measures alone are not enough. Continuous education and awareness raising of all users is needed. GDPR principles such as “integrity and confidentiality” and the requirement to implement “appropriate technical and organizational measures” are not static obligations. They imply the need for a dynamic response to constantly evolving threats. Organizations must continuously assess new attack methods and adapt their defense strategies, taking into account the “latest developments” in data protection technology and practices. GDPR compliance is therefore not a one-time project, but an ongoing process of vigilance and adaptation.

II. Shield in the Digital Arena: Personal Data Protection Measures from the Individual to the Corporation

The protection of personal data requires a multi-layered approach that includes compliance with the basic principles of the GDPR and the application of specific measures tailored to different entities – from individuals to large corporations.

A. General measures and basic principles of data protection under the GDPR

The GDPR sets out seven key principles that must guide any processing of personal data:

1. Lawfulness, fairness and transparency: Processing must be lawful, based on one of the legal bases defined by the Regulation (e.g. consent, contract, legal obligation), fair to data subjects and transparent, which means that individuals must be clearly informed about the purpose and manner of processing their data.
2. Purpose limitation: Personal data may only be collected for clearly defined and legitimate purposes and may not be further processed in a way that is incompatible with those purposes.
3. Data minimisation: Only personal data that is necessary to achieve a specific purpose may be collected and processed.
4. Accuracy: Personal data must be accurate and, where necessary, kept up to date. Measures should be taken to correct or delete incorrect data.
5. Storage limitation: Data may only be kept in a form that allows identification of the data subject for as long as necessary for the purposes for which they are processed.
6. Integrity and confidentiality: Appropriate technical and organisational measures should be put in place to ensure the security of the data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
7. Accountability: The controller is responsible for compliance with the above principles and must be able to demonstrate this compliance.

In addition to these principles, the GDPR emphasizes the importance of technical data protection and privacy by design and by default. This means that safeguards, such as reducing the amount of data processed, pseudonymisation (processing data in such a way that it can no longer be attributed to a specific data subject without using additional information) or encryption (data encryption), should be built into systems and processes from the outset, rather than added afterwards.

It is important to note that the GDPR does not prescribe an exact list of technical measures that must be applied. Instead, the Regulation sets out a risk-based framework, requiring organizations to assess and implement “appropriate” safeguards themselves. This flexibility allows for adaptation to specific circumstances, but at the same time places a greater burden of responsibility on controllers to make informed decisions about what is “appropriate” for their situation, taking into account the nature of the data, the scope of the processing, the potential risks and the costs of enforcement. The principle of “data minimization” is not just a technical recommendation, but a strategic approach that fundamentally reduces the potential “attack surface” and potential damage in the event of a breach. Simply put, less data collected and stored means less risk.

B. How an individual should protect their data (Practical tips)

While the GDPR imposes obligations on organizations, individuals also have a key role to play in protecting their own data. Active and informed participation in one’s own digital security is crucial. Here are some practical tips:

• Strong and unique passwords: Use long passwords (minimum 12-14 characters) that combine uppercase and lowercase letters, numbers, and symbols. Avoid using the same passwords for different accounts. Consider using a password manager.
• Two-factor authentication (2FA): Activate 2FA wherever possible. It adds an extra layer of security by requiring another form of authentication (e.g., a code sent to a mobile phone) in addition to the password.
• Phishing Detection: Be extremely cautious of emails, text messages, or calls that ask for your personal information or direct you to suspicious websites. Do not open attachments or click on links in messages from unknown or suspicious senders.
• Safe Internet Use: Avoid entering sensitive information when connected to public Wi-Fi networks. Consider using a virtual private network (VPN) for added security, especially outside of your own home.
• Regular software updates: Update your operating system, web browser, antivirus program, and other applications as soon as updates become available. They often contain important security patches.
• Physical protection and document destruction: Protect your devices (computers, mobile phones) with a password, PIN or biometric protection. Destroy paper documents containing personal information before throwing them away (e.g. by cutting).
• Privacy settings: Regularly check and adjust your privacy settings on social networks and other online services to control who can see your information.
• Awareness of rights: Familiarize yourself with your rights under the GDPR, such as the right of access to data, the right to rectification of inaccurate data, the right to erasure (“right to be forgotten”) and the right to object to processing.

All these tips indicate that the protection of personal data is not a passive expectation that others will take care of our security. Citizens must be aware of their rights and be vigilant to prevent their data from being misused. In this context, digital literacy, which involves understanding online risks and applying safeguards, is becoming a fundamental skill of the modern age, just as important as traditional literacy. The GDPR empowers individuals with rights, but effective self-protection depends on their ability to understand and navigate the digital environment.

C. How a small business should protect the data it processes (Key Strategies)

Small and medium-sized enterprises (SMEs) often have limited resources, but this does not diminish their obligation to protect the personal data they process. The key to success lies in a pragmatic approach that combines basic but consistently applied technical measures with strong employee awareness and responsibility.

• Employee education: The human factor is crucial. Regular education of employees on the importance of data protection, recognizing threats such as phishing and internal security procedures is the foundation.
• Basic technical measures: Implementation and regular updating of antivirus software, setting up firewalls, using strong passwords to access systems and data, and regularly updating all software.
• Encryption and backups: Encrypt sensitive personal information, especially when it is transmitted or stored on removable media. Regularly back up important data and test the possibility of recovering it. For high-risk data, copies should always be encrypted and stored in a secure place, preferably without internet access.
• Access policies and data minimization: Define clear policies on who, when, and why has access to certain data (principle of least privilege). Adhere to the principle of data reduction – collect and store only the data you really need for your business. Set deadlines for deleting data that is no longer necessary.
• Confidentiality statements: Consider using confidentiality statements that require employees to maintain the confidentiality of the information they access.

The GDPR’s scalability in terms of “appropriate measures” means that small businesses are not expected to have the same level of sophistication as large corporations. Measures should be proportionate to the risk, the nature of the data and the resources available. The focus is on the application of the basic principles of protection and responsibility, and not on blindly copying the practices of large systems. Often, employee motivation, good planning and consistency in the application of basic measures are more crucial than expensive technical solutions.

D. How a Large Corporation Should Protect Data (Comprehensive Approach)

Large corporations, given the amount and sensitivity of the data they process, as well as the number of employees, must implement a comprehensive and formalized personal data protection management system. This goes beyond the mere implementation of technical measures and includes management processes, the assignment of specific responsibilities and proactive risk assessment.

• Data Protection Officer (DPO): The appointment of a DPO is mandatory if the processing is carried out by a public authority, if the core activities consist of regular and systematic monitoring of data subjects on a large scale, or if special categories of data or data on criminal convictions are processed on a large scale. The DPO advises the organization on compliance with the GDPR, monitors the implementation and cooperates with the supervisory authority.
• Data Protection Impact Assessment (DPIA): For types of processing that are likely to cause a high risk to the rights and freedoms of individuals (e.g. introduction of new technologies, large-scale processing of sensitive data), a DPIA is necessary.⁶
• Advanced technical measures: Implementation of encryption and pseudonymization where appropriate, defense-in-depth, intrusion detection and prevention systems (IDS/IPS), and regular security testing.
• Strict access controls: Application of the principle of least privilege (employees have access only to data necessary for their work), use of unique user accounts and strong passwords, and recording access to data (logs).
• Data lifecycle management: Regular deletion of personal data that is no longer necessary for the purpose for which it was collected, in accordance with internal policies and legal retention periods.
• Privacy by Design and by Default: Embedding data protection requirements at all stages of the development of new products, services and business processes.
• Records of processing activities: Keeping detailed records of all personal data processing activities, as required by Article 30 of the GDPR, unless there is an exemption.
• Audits and Education: Conducting regular internal and external security audits and comprehensive data protection education and awareness programs for all employees.

The principle of “accountability” for large corporations means not only achieving compliance with the GDPR, but also the ability to continuously prove this compliance through comprehensive documentation, clearly defined policies and procedures, and regular audits. This implies the establishment of a permanent cycle of planning, implementation, verification and action (PDCA) in the field of personal data protection.

III. Who bears responsibility? Clarification of roles in the event of a personal data breach

When a personal data breach occurs, it is crucial to determine who is liable. The GDPR sets out a clear framework of responsibility for the various actors involved in data processing.

A. General responsibility of the controller and processor under the GDPR

The GDPR distinguishes between two key roles in the processing of personal data: the controller and the processor.

• A controller is a natural or legal person, public authority, agency or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data.
• A processor is a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.

The primary responsibility for compliance with the GDPR and for damages resulting from a violation of the Regulation lies  with the controller. It must ensure and be able to demonstrate that the processing is carried out in accordance with the Regulation. A processor is only liable for damage caused by processing if it has not complied with the obligations of the GDPR that are specifically addressed to processors or if it has acted outside or contrary to the lawful instructions of the controller. If more than one controller or processor, or both the controller and the processor, are involved in the same processing and are liable for the damage, each of them shall be considered jointly and severally liable for the entire damage in order to ensure effective compensation to the data subject.

This clear chain of responsibility, with the primary burden on the controller, encourages organizations to choose their processors very carefully and to clearly define data protection obligations in contracts. The controller’s omissions can ultimately be attributed to the controller.

In the context of accountability, the role of the Data Protection Officer (DPO) is also important. The DPO, if appointed, reports directly to the organisation’s top management level and must not receive any instructions from the controller or processor regarding the performance of his tasks. This independence and direct line of responsibility signals that the GDPR treats data protection as a strategic management issue and not solely as an operational IT task, giving the DPO the authority needed for effective oversight and advice.

B. Example: What if a large enterprise experiences a data leak or uses it without authorization?

Data leakage or unauthorized use by a large enterprise can have far-reaching consequences. For affected individuals, this can mean material damage (e.g. financial loss) and non-material damage (e.g. identity theft, discrimination, reputational damage, loss of confidentiality of personal data protected by trade secrets).

Large businesses that violate the GDPR can face extremely high fines. Examples include a €22 million fine imposed on British Airways for leaking the data of more than 400,000 customers, or a €1.24 million fine on the German health insurance company AOK for failing to take appropriate technical and organizational measures.

In the event of a personal data breach, the controller is obliged  to notify the competent supervisory authority (in Croatia, the Personal Data Protection Agency – AZOP) without undue delay, and preferably no later than 72 hours after becoming aware of the breach. If the infringement is likely to cause a high risk to the rights and freedoms of individuals, the controller must also inform those individuals without undue delay.

A data leak in a large enterprise is not just a technical incident; It is a cascading crisis involving legal, financial, reputational and operational consequences. Therefore, it is crucial to have a predefined plan for action in case of violations and to continuously educate employees about their roles and responsibilities. While supervisors may take into account mitigating circumstances when determining the level of the fine (e.g. the economic impact of the COVID-19 pandemic on the reduction of fines for British Airways and Marriott), fundamental failures in the application of appropriate technical and organisational measures remain a key factor for sanctioning.

C. Example: What if the government does not ensure the security of personal data?

The state and public authorities are also subject to the provisions of the GDPR when processing personal data of citizens. This includes the obligation to appoint a DPO for most public authorities. Member States have the possibility to introduce additional conditions and restrictions within national law for the processing of special categories of personal data, such as genetic, biometric or health data, but always within the framework of the GDPR.

When state authorities keep personal data, they must respect the principle of storage limitation, even when there are legal regulations on the preservation of archival records. This means that the data may not be kept longer than necessary for the purpose for which they were collected, unless otherwise prescribed by a special law for archival purposes.

The state has a dual role: as a controller for the data it collects and processes itself (e.g. in the systems of tax administration, healthcare, justice) and as a legislator who can further specify data protection rules at the national level, always respecting the primacy of the GDPR. Furthermore, the state’s obligation to ensure the security of personal data extends to protection against requests from third countries for access to data that are not in accordance with EU law. Judgments of courts or decisions of administrative authorities of third countries ordering the transfer or disclosure of personal data are not enforceable within the EU, unless they are based on international agreements, such as mutual legal assistance treaties. This underlines the principle of data sovereignty within the European legal space.

D. Example: What if an individual breaches someone else’s personal information?

The GDPR primarily regulates controllers and processors, but it also protects individuals from malicious actions by other individuals. The misuse of other people’s personal data may occur for the purpose of causing damage (e.g. injury to reputation and honor, violation of privacy), committing fraud or obtaining an unlawful benefit, for example by concluding false contracts in someone else’s name.

Identity theft is one of the most serious forms of such abuse and is a criminal offense. Examples include opening fake social media profiles with other people’s information and posting inappropriate content, or using other people’s information to enter into contracts with teleoperators. An individual who commits such an act may also be liable for civil liability for damages to the injured person, as well as criminal liability.

Persons whose data has been misused have rights under the GDPR, such as the right to delete or rectify the data they can obtain against organizations that may have enabled this misuse (e.g. failed to adequately protect the data stored on their servers). Digital violence involving the misuse of personal data, such as the creation of fake profiles, is a modern form of violation of privacy and honour with potentially severe psychological and social consequences for victims. This emphasizes the importance of education about responsible behavior in the digital world and the consequences of misuse of other people’s data.

IV. Your rights and legal protection: Steps after a personal data breach

If you suspect that your personal data has been breached or that your data is being processed unlawfully, the GDPR provides you with a number of rights and redress mechanisms.

A. Application to the Personal Data Protection Agency (AZOP)

As mentioned earlier, controllers are obliged to notify the AZOP of a personal data breach within 72 hours of becoming aware of it, unless the breach is likely to cause a risk to the rights and freedoms of individuals. The notification to the AZOP should contain a description of the nature of the breach, the categories and approximate number of affected data subjects and data records, contact details of the data protection officer, a description of the likely consequences of the breach, and a description of the measures taken or proposed to address the breach.

Individuals who believe that their rights to the protection of personal data have been violated may submit  a request for a determination of the violation of rights to the AZOP. The request can be submitted in person (orally on the record), in writing to the address of the Agency, via the online form on the AZOP website, by e-mail or fax. The request must be comprehensible and complete and contain the applicant’s personal data (name, surname, OIB, address), a detailed description of the violation, evidence supporting the allegations (e.g. copies of documents, correspondence) and information on whether the controller has been previously contacted.³⁰ The AZOP advises that before submitting a request to the Agency, an attempt should be made to exercise the right by contacting the controller directly.

The AZOP has broad powers, which include:

• Investigatory powers: The right to access all personal data and all information necessary for the performance of tasks, to conduct investigations in the form of a data protection audit, to have access to the business premises of the controller and processor, including data processing equipment and means.
• Corrective powers: Issuing warnings, warnings, orders to the controller or processor to comply processing operations with the provisions of the Regulation, ordering the deletion of data, restricting or prohibiting processing, and imposing administrative fines that can be very high.
• Advisory powers: Providing advice to the controller in accordance with the prior consultation process and issuing an opinion.

The AZOP acts as a key mechanism for the implementation of the GDPR in Croatia, not only by reactively resolving reports, but also proactively through supervision and consulting. The short deadline of 72 hours for reporting a breach by a controller puts significant pressure on organizations to have in place fast and effective internal procedures for detection, risk assessment and incident reporting, thereby underscoring the critical importance of continuous preparedness.

B. Possibility of court actions

According to Article 82 of the GDPR, any person who has suffered material or non-material damage as a result of an infringement of this Regulation is entitled to compensation from the controller or processor for the damage suffered.

Examples of non-material harm may include fear of possible future misuse of personal data, loss of control over the data, or emotional harm suffered, provided that such harm is real and provable. The case law of the Court of Justice of the European Union (CJEU), for example in Case C-340/21, confirmed that fear of future misuse of personal data may constitute non-material damage giving rise to a right to compensation, provided that the data subject proves that this fear is well-founded in the light of the circumstances of the case and that he or she has suffered real and certain emotional damage. It is important to note that the GDPR does not set a threshold for the seriousness of the damage that would have to be reached in order to exercise the right to compensation, but proving the existence of actual harm is crucial for the success of the claim.

Court proceedings for the exercise of the right to compensation are conducted before the courts having jurisdiction under the law of a Member State. No appeal is allowed against the decision of the AZOP, but the lawsuit may initiate an administrative dispute before the competent administrative court. This possibility of judicial review of AZOP decisions provides an additional level of legal control and protection of rights for both data subjects and controllers, thus strengthening the rule of law in the field of data protection.

Data subjects shall also have the right to object to the taking of decisions based solely on automated processing, including profiling, where such decisions produce legal effects concerning them or similarly significantly affect them, unless the decision is necessary for the conclusion or performance of a contract, permitted by Union or Member State law, or is based on the data subject’s explicit consent. In these cases, the data subject has the right to request human intervention, express his/her point of view and contest the decision.

The right to compensation for non-pecuniary damage, which also includes the “fear of possible future misuse” of personal data, significantly expands the scope of liability of the controller and processor. This can potentially lead to an increase in the number and value of claims, making the prevention of personal data breaches an even more critical component of business and risk management.

V. Conclusion

The protection of personal data in an increasingly complex digital world is a continuous challenge, but also an imperative for all stakeholders – individuals, companies and state bodies. As this review has shown, the risks of personal data breaches are many and varied, and attack methods are becoming increasingly sophisticated, often targeting the human factor as the weakest link.

The General Data Protection Regulation (GDPR) provides a strong legal framework and sets clear principles for data processing and protection. However, the Regulation alone is not sufficient if it is not implemented consistently and if there is not a high level of awareness of the importance of privacy. The responsibility lies with everyone:

• Individuals must be proactive in protecting their own data, using the tools and knowledge at their disposal and knowing their rights.
• Small businesses need to adopt a pragmatic approach, focusing on basic protection measures and employee education, commensurate with the risks they face.
• Large corporations must implement comprehensive data protection management systems, including formal processes, assigned responsibilities, and advanced technical measures.
• Government authorities have a dual role – as controllers of citizens’ data and as creators of the national legislative framework that complements the GDPR.

Legal protection mechanisms, from reporting to a supervisory authority such as the AZOP to the possibility of lawsuits for damages, ensure that the rights of data subjects can be exercised and those responsible for violations can be sanctioned.

Ultimately, the protection of personal data is not a one-time task, but a continuous process that requires cooperation, accountability, constant learning and adaptation to new threats and technologies. Only through joint engagement and respect for fundamental privacy principles can we hope for a safer digital environment for all. Continuous education and caution remain the best prevention in a world where our personal data is constantly exposed.

In case you need a personal data protection lawyer, please contact us at: info@odvjetnik-bistrovic.hr