ALERT MEMORANDUM
suffered a security breach has not yet been able to
map the full extent and scale of the breach does not
necessarily mean that there is no inside information.
5
However, if and when disclosure is made, it must be
done in a manner “which enables fast access and
complete, correct and timely assessment of the
information by the public” as required by
Article 17(1) MAR. In the context of a data breach,
the requirement to disseminate complete and correct
information will need to be carefully balanced
against the possible remaining uncertainties about
the scope and nature of the breach at the time of
disclosure and possible adverse effects for affected
individuals in case of a publication of too many
specificities of the breach.
Possible Deferral? An EU-listed issuer may, under
MAR, decide to defer the disclosure of inside
information provided that (i) the immediate
disclosure is likely to prejudice its legitimate
interests, (ii) the deferral is not likely to mislead the
public and (iii) confidentiality can be ensured
(Article 17(4) MAR).
6
In many cases, immediate
public disclosure of a mass data breach will be likely
to prejudice the issuer’s legitimate interests, not only
by hampering its ability to map the scale of a data
breach, identify the nature, sensitivity and volume of
the affected personal data and the number of affected
individuals, but also by prejudicing its ability to take
effective measures to contain the breach and prevent
further breaches and dissemination of the affected
personal data. Whether the deferral is likely to
mislead the public will depend on the relevant facts
and circumstances. If there have been rumors in the
press about a possible data breach or statements by
the CEO regarding the robustness of the company’s
security systems, these circumstances may be
relevant factors to consider in determining whether
deferral would be likely to mislead the public. In
such case the confidentiality may also be
compromised (Article 17(7) MAR). Whether
confidentiality can be ensured will also partly
depend on the notification obligations under GDPR.
5
In light of the Geltl judgement, a mere “realistic prospect” that
a set of circumstances may come into existence, or that an event
may occur, is enough (ECJ, June 28, 2012 (Geltl v. Daimler),
C-19/11).
6
See ESMA Guidelines of October 20, 2016.
Selective Disclosure? If disclosure is deferred, any
further selective disclosure of the information is
prohibited, except within the normal course of
professional duties and always subject to a
(contractual or legal) confidentiality obligation (see
Articles 10(1) and 17(8) MAR). The issuer must be
able to ensure the confidentiality of the relevant
information at all times. If confidentiality can no
longer be ensured, Article 17(7) MAR requires
immediate public disclosure.
GDPR’s Notification Requirements
7
Scope of Application. GDPR applies to the
processing of personal data either (i) in the context
of the activities of a company’s establishment in the
EU (or in a place where EU law applies by virtue of
public international law), regardless of whether the
processing takes place in the EU or not and (ii) to
any company that is not established in the EU, if the
personal data processed relates to data subjects in the
EU and where the processing activities relate to the
offering of goods or services to those data subjects or
to the monitoring of their behavior (where the
behavior takes place within the EU). (Article 3
GDPR). The definition of personal data applied by
GDPR is extremely broad (Article 4(1) GDPR).
Personal Data Breach? GDPR defines a personal
data breach quite broadly as “a breach of security
leading to the accidental or unlawful destruction,
loss, alteration, unauthorized disclosure of, or
access to, personal data transmitted, stored or
otherwise processed” (Article 4(12) GDPR).
Prompt DPA Notification. Article 33(1) GDPR
requires a company subject to GDPR to notify a
personal data breach to the competent national data
protection authority (“DPA”) without undue delay (if
feasible within 72 hours), unless the breach “is
unlikely to result in a risk to the rights and freedoms
of natural persons”.
8
Prompt notification is the default rule and companies
need to be able to explain and justify any decision to
delay notification beyond the initial 72 hours. A
7
For further detail, see also
https://www.clearycyberwatch.com/2018/01/notification-data-
breaches-gdpr-10-frequently-asked-questions/
8
Some EU Member States (Germany, Italy, the Netherlands)
already have similar national data breach notification
requirements in place independently from the GDPR.