Table of contents
Introduction: The Clock Is Ticking (72 Hours)
When a company suffers a hack or a personal data breach, the immediate priority is usually technical: containing the incident and restoring systems. However, from a legal perspective, the General Data Protection Regulation (GDPR) activates an implacable clock.
In the face of a security breach that may affect the rights and freedoms of individuals, it is not enough to solve the technical problem. The organization must be able to demonstrate that it informed correctly and on time both the supervisory authority and, where applicable, the data subjects.
In these scenarios, speed, traceability, and documentary proof make the difference between diligent management and a million-dollar sanction.
Legal Obligations In The Face Of A Security Breach
GDPR establishes a very specific framework for action when a personal data security violation occurs.
Notification To The Supervisory Authority (AEPD)
The company must notify the breach to the Spanish Data Protection Agency within a maximum period of 72 hours from when it becomes aware of the incident, unless it is unlikely to pose a risk to the rights and freedoms of natural persons.
Communication To Data Subjects
When the breach poses a high risk, the company must inform directly to each of the affected parties, in a clear and understandable manner.
Proactive Responsibility (Accountability)
It is not enough to claim that a communication was sent. The company must be able to demonstrate irrefutably that it acted with diligence, that it notified, and that it did so within legal deadlines.
Why Ordinary Email Is Insufficient In A Hack
In a sanctioning procedure, the authority will ask a key question:
How can you demonstrate that you notified these specific users and what information did they receive exactly?
Conventional email does not offer sufficient guarantees:
- It does not provide proof of delivery with legal validity.
- It does not accredit the exact content received by the recipient.
- It can be easily challenged if the user denies having received the notification.
- If the company’s server is compromised, it lacks independent evidentiary value.
In these cases, it is essential to resort to an external trusted third party that certifies the communication.
Use Cases Of eEvidence In Cybersecurity Crises
Certified electronic evidence becomes a key piece of the incident response plan.
Mass And Certified Notification To Affected Parties
When a breach affects thousands or tens of thousands of people, eEvidence allows performing automated mass shipments, generating an individual certificate for each recipient.
This evidence is directly usable in an audit or inspection by the AEPD.
Certification Of Content Required By GDPR
GDPR requires that the communication include, at minimum:
- The nature of the security breach.
- Contact details of the Data Protection Officer (DPO) or information point.
- Measures adopted or recommended to mitigate the risk.
eEvidence certifies that this specific content was delivered, preserving a complete and sealed copy over time.
Mitigation Of Sanctions
Transparency, speed, and documentary traceability are mitigating factors in the graduation of sanctions. Having solid technical evidence demonstrates diligence and significantly reduces economic and reputational risk.
Executive Summary: Crisis Management And GDPR Notification
| GDPR Requirement | Non-Compliance Risk | Solution With eEvidence |
|---|---|---|
| Urgent deadline | Fines of up to €20M or 4% of turnover | Immediate mass notification |
| Proof of delivery | Defenselessness before AEPD | Certificate with timestamp |
| Message integrity | Denial of content received | Cryptographic hash of content |
| Burden of proof | Obligation to demonstrate diligence | Downloadable technical evidence |
Emergency Checklist: “I Have Suffered A Hack, What Steps Do I Follow Now?”
If your company has detected a security breach, this is the recommended protocol:
Identify and contain
Locate the origin of the incident and isolate affected systems.Assess the risk
Determine which categories of data have been exposed, especially if they affect sensitive data.Notify AEPD (72 hours)
Inform the supervisory authority, even if you do not yet have all the details.Identify affected parties
Precisely delimit which people must be informed.Communicate in a certified manner (critical step)
- Avoid using compromised internal servers.
- Use eEvidence for notification.
- Include description of the breach, measures adopted, and recommendations to the user.
Custody the evidence
Download and preserve delivery certificates as proof of proactive diligence.Review and improve
Update your security policies and your incident response plan.
Frequently Asked Questions (FAQ)
Is It Mandatory To Always Inform Affected Parties After A Breach?
Only when there is a high risk to their rights and freedoms, but the burden of proof falls on the company.
Is Registered Email Valid Before AEPD?
Yes. Evidence issued by a trusted third party is fully admissible in sanctioning procedures.
What Happens If I Cannot Demonstrate The Notification?
The absence of irrefutable proof can lead to serious sanctions, even if the notification had been made informally.
Conclusion
In a security breach, the problem does not end when the technical vulnerability is closed. The real risk begins if the company cannot demonstrate that it acted with speed, transparency, and diligence.
Registered email converts GDPR notification into a secure, traceable, and defensible process, allowing organizations to face a cybersecurity crisis with legal guarantees and significantly reduce the sanctioning and reputational impact.
Ready to get started?
Contact us to share your business project or register now to start trying our services today