How to deal with a leak of personal data (data breach) from an e-shop?

Do you run an e-shop? Today it is possible to get such a solution in a few clicks. You can set up additional add-ons in your e-shop to help you with billing, statistics or add other interesting extensions. Often, when choosing an add-on, you also agree to terms and conditions and other rules that, let's face it, not many actually read.

Everything is working fine, but suddenly you find out that the platform on which the e-shop is run has had a major data leak. Or you get a message from that platform saying there's been a leak.

What comes next?

A step-by-step of what to do when there is a leak of personal data

  1. Gather as much information as you can

First, you need to get as much information as possible. In a very short time. If there has been a data breach, you have 72 hours from the time you become aware of the incident to report it to the Data Protection Authority.

What information should you ideally obtain:

  • When the incident occurred: this information should be as specific as possible, ideally it is good to know the exact time


  • When did you become aware of the incident: as we mentioned above, the incident may have been caused by, for example, the provider of the add-ons or the platform where you run your e-shop. There may therefore be a time difference between when the incident occurs and when you become aware of it.
    • The good news: You must report to the Data Protection Authority within 72 hours of becoming aware of the incident, not from the time it occurred.


  • If the incident is still ongoing: is this a large-scale hacking attack? Was it a one-time database access? Has the threat already been removed? These are the questions you should answer, or ask your platform or add-on provider involved in the leak for answers.


  • What the consequence of the incident was: here you will be particularly interested in whether the data may have fallen into the wrong hands, become inaccessible, been misused, deleted, etc.
    • As part of risk reporting and remediation, you will need to describe what caused the security incident and what the consequences were.


  • What personal data is involved: is it names, surnames, dates of birth, birth numbers, financial data, location data? Or is it much more serious and is there a problem even with data on health, sexual orientation, political opinions, etc.?


  • Who is behind the personal data (categories of data subjects): are they your customers? Suppliers? Who are the individuals whose personal data is at risk?


  • How many people will be affected by the incident: try to give an exact number, or at least an estimate.


  • What people are at risk of: here comes the very tricky part, where you need to take stock of what can happen to people from a security incident:
    • Is there a risk that the data will be misused and financial damage may occur?
    • Can identity theft occur?
    • Will the data become unavailable to the subjects, resulting in the inability to deliver the goods/services etc.?
    • Can fraud be committed?
    • Could the reputation of data subjects be at risk?

For the last point, you need to assess the risks associated with the incident. Here, however, the assessment is very individual. In general, however, if sensitive data (health, sexual orientation) are involved in the incident, a high risk to the data subjects is virtually certain.

Why is it important to assess the risk?

The amount of risk determines the other obligations. If the risk is high, the people involved should also be notified of the incident. This makes sense, because if the risk is high, there is a risk of significant harm to these people, so they must be able to take steps to prevent this harm or at least be aware of it.

Clueless how to assess the risks? Drop us a line ↗ or have us do a complete GDPR mapping ↗ for you.
  1. Prepare all the documentation you have on GDPR

In particular, prepare processing agreements with the providers involved in the incident (if they are processors).

Was there a data leak on the side of the platform operator where the e-shop operates? It is very likely that this operator will be in the position of a personal data processor (it may provide the storage of personal data and other processing activities that it performs only for the e-shop).

Do you know where to look for a possible processing contract? Check the agreed terms and conditions or make a query on the platform.

At the same time, prepare any other documentation you have on GDPR.

You are not submitting the documents anywhere for the time being, but the Data Protection Authority may request them as part of further resolution. So you can skip this step for now, but it is advisable to have everything ready. At the same time, you may find some of the information useful when completing the report.

"I have nothing, I'm afraid of a fine, so I'd rather not report anything,"

Don't do it. If the incident is more widespread, it will start to spread through the media. It's very likely that the Data Protection Authority will eventually find out. And there's nothing worse than having nothing and not reporting the incident within the time limit.

"I missed the deadline and now I'm afraid to report the incident."

Better late than later. Report the incident anyway. Try to explain in your report what caused the delay.

  1. Prepare a report to the Data Protection Authority

Now comes the unpopular part. There is an interactive form for reporting a security incident, which is available on the website of the Office for Personal Data Protection.

The form is available here ↗

Instructions on filling out the form -->

This form should be filled in and sent to the Office for Personal Data Protection by e-mail: or to the data box: qkbaa2n. You can also use the submit button available on the form itself.

When completing the report, you should base it on the information you obtained in step one. The form is fairly intuitive, but if you have any problems with it, drop us a line ↗ and we will help you complete it.

  1. Continue to monitor the situation and report any changes

You may not know all the information when you fill in the form. But at the same time, you will be pushed for 72 hours. It is possible to skip some parts of the report and you can complete them at any time later.

The GDPR states, "If it is not possible to provide the information at the same time, it may be provided sequentially without further undue delay." 

On the reporting form itself, you can also check whether it is an initial or additional report.

  1. Keep a record of the security incident

Each controller has an obligation to document security breaches. Such documentation should include:

  • What was the security incident
  • What is the consequence of the incident
  • What measures have you taken to resolve the incident

294 reports in the last year

We live in a time when the risk of potential security incidents is increasing. If one has happened to you, you're certainly not the first or the last person it has happened to. Last year, 294 security incidents were reported to the Data Protection Authority. That's almost 1 security incident every day. But these are only the reported ones, and the actual number will be much higher.

Want to check you're GDPR compliant so you don't have to worry about reporting anything?

drop us a line -->

Arrange a meeting via Calendly

Potřebujete pomoct s nastavením GDPR v oblasti e-commerce?

Napište nám →