Data Breach Notification

As a Data Controller, you are legally required to report any deviations as soon as possible, and no later than 72 hours after the discrepancy has been detected. In this article we will inform you how.

What is a personal data breach?

A Data breach of personal information is a breach of security that leads to accidental or illegal destruction, loss, change, illegal spread or access to personal data that has been transferred, stored or otherwise processed.

When should I report a data breach?

When a deviation occurs.

Requirements for the sender

  • Access to form
    • You must make sure that you have the authority to report on behalf of your business. To complete and submit the form, you need the Altinn role "Complement / Submitter". If you do not have such access, you must ask it in the business that has the role of "Access Control" to be assigned the role as "Complementer / Submitter." It is also possible to access this form only.
  • Electronic ID (eID)
    • You need an electronic ID (eID) to log in to Altinn. If you do not wish to use your private eID, your business may acquire a business certificate from Commfides or Buypass.

How to write a Data Breach Notification

The online form requires to fill out theres fields:
  • Description of the deviation
    • major cause
    • period
    • when the deviation was discovered
    • number of affected persons
    • A description of what has happened
    • how the deviation occurred
    • Description of the type of personal data that was affected
    • what relationship the business has with the affected persons
    • Description of where personal information is located after the deviation.
  • Consequences
    • Describe possible consequences the deviation has caused to the affected persons.
  • Action
    • Describe what actions are taken and planned to prevent recurrence and what has been done to reduce potential harm.
  • Information
    • Have the people affected been informed?
      • Those who are affected by a deviation, ie those who have received personal information, should be informed if it is likely that it will pose a high risk to their rights and freedoms. This should be done as quickly as possible.
  • Contact Information
    • Name and contact details of the privacy representative or contact person at the company who can provide more information about the deviation.
  • Attachment
    • The Data breach notification is delivered by filling out the main form. If you want to upload an attachment, you can do this by touching the tab; 
      • "Overview - Form and Attachment" tab.
  • Opportunity for step-by-step reporting
    • If you do not have all the information needed for initial completion, you can submit the non-conformance message step by step. For example, type "Here's more information" in the respective fields in the form.

      When you then submit more information, you must log in to Altinn again and find the submitted form. It will then be in your inbox.

      When you open the form, it will say "An error has been submitted to this publisher before. Is this a new error message or an addition to a previously submitted message? ". The form will contain only one page with a text box where you fill out the remaining information.

      It is also possible to send attachments by touching the sheet tab "Overview - Form and Attachment".

Loyall's role in data breach

Loyall shall assist
If the data breach is caused within Loyall Solutions, Loyall, as a data processor, shall assist and provide the documentation required to enable the data controller to fulfill its duty.

Detecting a breach
If Loyall detects a data breach, Loyall will as soon as the break is discovered, briefly inform the controller by email, along with information about how the breach can be handled. 

The controllers responsibility
It is the full responsibility of the Controller how the breach is handled, but Loyall will be available for any question, even outside working hours.


Any questions related to Loyall privacy Is addressed: