## purpose - in [[An introduction to data privacy]], Staal points out that #privacy is not mentioned but is still understood to be one of the purposes of the legislation ## reporting Under this [[EU|European Union]] directive, organisations experiencing a breach of personal data must report this breach to its national authority within 72 hours at the most. They must also not allow 'undue delay'. The report must contain the following information: - the number of affected data subjects - the number of affected records and their categories - the name and contact details of the reporting organisation's data protection officer - the scope of the risk to the personal data - the measures that have been taken to mitigate further damage, including what actions have been taken to mend the breach ## content ### Article 4: [[data controller|controller]] and [[data processor|processor]] - defines who/what the GDPR applies to: "'personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;" - note that the natural person must be alive - legally, data that is anonymous is not personal