Bryan Cave Combines with Berwin Leighton Paisner to Form Bryan Cave Leighton Paisner LLP Learn More

GDPR: The Most Frequently Asked Questions: Can a company combine a breach notification message with other communications to impacted data subjects?

October 5, 2018

The European Union's General Data Protection Regulation ("GDPR") is arguably the most comprehensive - and complex - data privacy regulation in the world.  Although the GDPR went into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.

To help address that confusion, Bryan Cave Leighton Paisner is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.

Question: Can a company combine a breach notification message with other communications to impacted data subjects?

Answer:  Generally no. The Article 29 Working Party took the position that “dedicated messages should be used when communicating a breach to data subjects.”  Specifically, the Working Party advised that data breach notifications generally should not be “sent with other information, such as regular updates, newsletters, or standard messages.”