top of page

GDPR data protection incident management service

We are handling the suspected incident. We help you decide whether to report it to the authorities. If necessary, we will prepare the complete documentation. We know the loopholes and minimize the possible punishment during accurate cooperation with the authorities.

According to current official practice, the most important thing is for the Data Controller to initiate the official notification within 72 hours of becoming aware of the incident. Reporting the incident to the authorities in the format issued by NAIH means filling out a 26-page document. 


The notifier can also make the report online, here the same data must be provided to the authority via an online form. Within the framework of our service, our consulting colleagues interpret the situation, get to know all the circumstances and evaluate the situation based on the GDPR incident definition, and what category the incident should be classified into.


Incidents to be recorded – no reporting requirement

If it can be proven that the resulting data protection incident probably does not pose a risk to the rights and freedom of natural persons, the incident must NOT be reported to the Authority. 


Reportable incidents

The most important thing in such cases is for the Data Controller to provide the Authority as quickly and as widely as possible with information about the IT organizational measures it has taken to ensure that the incident does not occur again. By professionally and convincingly documenting these data, the penalty can even be avoided in cases where reporting is required. 

What is a data protection incident?

  • If a notebook containing personal data (Excel, correspondence, e-mail addresses, software) is stolen/lost.

  • The organization sent personal data (table, document) to the wrong place by e-mail.

  • The organization sends a newsletter to people who have not consented to it.

  • The organization made personal data public / accessible to unauthorized persons.

  • Extortion virus encrypted personal data.

  • Etc...

Who do we recommend?
  • For those whose incidents are rare and would entrust the reporting to an experienced partner in order to minimize or avoid possible punishment.

  • Those who have many data management incidents and would outsource the management and documentation.

Occasional order
  • We will start handling the incident within 24 hours.

  • Incident documentation.

  • On-site drop-off when necessary.

  • IT, GDPR and regulatory investigation of the incident.

  • NAIH notification if necessary.

Flat rate service

Guaranteed continuous availability.


  • We will start handling the incident within 8 hours.

  • Even decision support related to immediate telephone incident reporting.

  • Available monthly hours.

  • Incident documentation, IT, GDPR,   and regulatory investigation.

  • NAIH notification if necessary.

Subcontractor incidents

The Data Controller must also report the incident to the Authority if the incident occurred at a subcontractor that manages the data of its partners, customers, and users on its behalf. 

Why Gill & Murry?

We provide DPO services for several large data controllers, and as a result, unfortunately, we have a lot of experience in handling suspected incidents and incidents. We understand not only the legal field of the GDPR, but also the IT and process organization fields. 


The experience of handling major incidents has given us the opportunity to learn about the loopholes inherent in the notification process, which we exploit for the benefit of our customers.

bottom of page