Information on reporting data protection incidents

A data protection incident is a breach of the protection of personal data that leads - unintentionally or unlawfully - to the destruction, loss, alteration or unauthorized disclosure of, or access to, personal data that has been transmitted, stored or otherwise processed.

This can be one of the following scenarios, for example:

  • Unwanted publication of personal data on the Internet
  • Loss of a laptop, smartphone or USB stick containing personal data
  • Theft of documents (physical or electronic) or data carriers
  • Unintentional sending of emails to the wrong recipients
  • Hacking attack on university servers with unauthorized access to personal data
  • Unwanted publication of personal data on the internet
  • Sending an email to multiple recipients (e.g. people interested in a university event) in which all recipients are inadvertently visible to each recipient (CC instead of BCC).
  • Loss of unencrypted data carriers in publicly accessible locations
  • Disclosure of personal data to unauthorized third parties by an employee

There is an obligation to report and document data protection incidents

  • If a data protection incident is likely to result in a risk to the rights and freedoms of natural persons, it must be reported to the data protection authority within 72 hours of becoming known. If the notification is not made within 72 hours, it must be accompanied by a justification for the delay.
  • If a data protection incident is likely to result in a high risk to the rights and freedoms of natural persons, the data subjects must be notified of the incident without delay. The data subjects do not have to be informed if they already have the information.
  • If the University of Innsbruck becomes aware of data protection incidents and the University of Innsbruck acts as a service provider, these must be reported to the client immediately.
  • Data protection incidents must be documented including all known facts, the effects and remedial measures taken.

What should I do if I suspect a data protection incident at the University of Innsbruck?

Report it immediately to an databreach@uibk.ac.at!

Please fill out the form or the registration sheet so that we can quickly assess the incident and communicate with you. You can fill out the form directly on the website.

Data protection incident registration form (German| English) (The template is saved as a Word document and can be filled in directly on the PC.)

A responsible person will contact you promptly (usually within 3 hours) for clarification. If this is not the case, please also contact one of the following offices by telephone:

  • Data Protection Coordination: +43 512 507 20520 oder DW 20523
  • IT Security Manager: +43 512 507 23010 (wenn nicht erreichbar: DW 23005)
  • Data Protection Officer: +43 7242 2155 65065

Data protection incident form

in accordance with Art. 33 of the EU General Data Protection Regulation (GDPR)

What exactly happened, how could it have happened, and what personal data is affected?
Where did the incident take place?
If a technical device (laptop, etc.) is affected by the incident, please provide further details (type of device, equipment number, etc.).
The following measures were taken to remedy the breach of personal data protection
Your phone number and email address where we can reach you at short notice for further clarification
Nach oben scrollen