Skip to content
All legal docs

Compliance

Data Breach Response Policy

Incident handling and GDPR/DSGVO notification workflow

Brand
Nidai
Owner / Inhaber
Mohamed Essam Mohamed Shafey
Address / Anschrift
Frankfurter Allee 281, 10317 Berlin, Germany
Website
https://nidai.eu
Email / E-Mail
hallo@nidai.eu
Phone / Telefon
+49 157 51456670
Legal form / Rechtsform
Einzelunternehmen (sole proprietorship, not registered in the commercial register)
VAT / USt.
VAT is not charged pursuant to § 19 UStG (Kleinunternehmerregelung).
Tax / Steuer
Steuernummer pending; USt-IdNr. pending.

Purpose

This policy defines how Nidai detects, triages, contains, documents and communicates personal data breaches. When Nidai acts as processor, Nidai must notify the affected customer/controller without undue delay. The controller is generally responsible for authority/data-subject notification unless the contract says otherwise.

Incident Classification

SeverityExamplesInitial response target
LowSuspicious login attempt, blocked attack, no confirmed personal data exposureDocument and monitor
MediumPotential unauthorized access to limited customer records or misdirected email with non-sensitive dataTriage immediately, contain, notify internal owner
HighConfirmed unauthorized access, lost admin credential, exposure of documents/invoices/transcripts, sensitive dataImmediate containment and customer notification
CriticalLarge-scale breach, special-category data, ransomware, public exposure, cross-customer data leakEmergency response; external legal/forensic support

Response Steps

  1. Detect and record time of awareness.
  2. Preserve evidence: logs, screenshots, impacted systems, relevant commits/secrets.
  3. Contain: revoke tokens, rotate secrets, disable affected accounts, isolate systems.
  4. Assess scope: affected customers, data categories, data subjects, special categories, time window.
  5. Determine Nidai role: controller or processor for each affected dataset.
  6. Notify affected customer/controllers without undue delay when Nidai is processor.
  7. Support controller with facts needed for potential Art. 33/34 notification.
  8. Remediate root cause and verify fix.
  9. Document facts, effects and remedial action in breach register.
  10. Post-incident review and update TOMs/processes.

Breach Register Template

FieldEntry
Incident ID[Complete]
Date/time detected[Complete]
Date/time confirmed[Complete]
Reporter[Complete]
Systems affected[Complete]
Customers affected[Complete]
Data subjects affected[Complete]
Data categories[Complete]
Special categories?[Complete]
Likely consequences[Complete]
Containment actions[Complete]
Customer notified?[Complete]
Authority notified by controller?[Complete]
Data subjects notified?[Complete]
Root cause[Complete]
Remediation[Complete]
Lessons learned[Complete]

Communication Rules

  • Do not guess publicly before facts are established.
  • Do not hide uncertainty; communicate what is known, unknown and being done.
  • Customer notification should include facts, data categories, approximate numbers, measures taken and recommended customer actions.
  • Keep all incident communications in one internal incident folder.