Login Login Join now Join now
x
R R C

Data Breach Response Plan

Data Breach Incident Response Plan

Last updated: 11 October 2025

Article 1 – Purpose and Scope

This Data Breach Incident Response Plan (“Plan”) defines the procedure that the Relativity Team – the robotics team of Liceul Teoretic de Informatică „Alexandru Marghiloman” Buzău (the “Controller” or “Organiser”) and its technical provider, EssenByte Solutions (the “Processor” or “Technical Provider”), follow in the event of a personal data breach. It applies to all information systems, websites and competition platforms under their management and to all staff, volunteers and contractors processing personal data on their behalf. The Plan ensures compliance with Article 33 GDPR, which requires controllers to notify the competent authority of a personal data breach within 72 hours and, where necessary, to inform affected individuals.

Article 2 – Definitions

  • Personal data breach: a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
  • Controller: the entity determining the purposes and means of processing (Relativity Team).
  • Processor: the entity processing data on behalf of the controller (EssenByte Solutions).
  • Supervisory authority: the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP).

Article 3 – Detection and Reporting

  1. Incident identification: All staff and contractors must immediately report any suspected or confirmed incident involving personal data to the Data Protection Officer (DPO) or designated incident contact at privacy@essenbyte.com.
  2. Initial containment: The IT team must isolate affected systems, disable compromised accounts, and preserve logs and evidence for analysis.
  3. Notification to DPO: The incident must be logged and reported to the DPO within 24 hours. The DPO will assess whether it constitutes a GDPR-defined personal data breach and whether external notification is required.

Article 4 – Investigation and Assessment

  1. Assessment team: The DPO convenes a team including IT, legal, communications and management to evaluate:
    • Categories and approximate number of affected data subjects;
    • Categories and approximate number of data records concerned;
    • Likely consequences of the breach;
    • Whether the data were encrypted or otherwise protected.
  2. Risk evaluation: The team assesses the risk to data subjects’ rights and freedoms (e.g., identity theft, financial loss, reputational damage). If risk is low, authority notification may not be required.

Article 5 – Notification Obligations

  1. Supervisory authority: If the breach likely risks individuals’ rights and freedoms, the Controller must notify ANSPDCP without undue delay and, where feasible, within 72 hours of awareness. Delays must be justified. Notifications must include:
    • Description of the breach and affected data categories;
    • Contact details of the DPO;
    • Likely consequences of the breach;
    • Measures taken or proposed to address and mitigate the breach.
  2. Communication to data subjects: If the breach poses a high risk, the Organiser must inform affected individuals promptly and in clear language, providing mitigation advice (e.g., password reset, vigilance for fraud).
  3. Processor notification: If the incident occurs within EssenByte’s infrastructure, the Processor must notify the Controller immediately. The Controller remains responsible for external notifications.

Article 6 – Mitigation and Documentation

  1. Remediation: IT shall restore system security and implement preventive measures such as patching, credential rotation, and access reviews.
  2. Record keeping: Every breach must be documented, detailing facts, effects, decisions, and corrective measures. Records must enable ANSPDCP to verify compliance.
  3. Third-party coordination: When service providers are involved, the Organiser coordinates remediation under the terms of the Data Processing Agreement.

Article 7 – Post-Incident Review and Training

  1. Lessons learned: After containment, a post-incident review identifies root causes and evaluates response effectiveness. Updates are applied to policies and security controls.
  2. Training: Regular security and data-protection training is mandatory for staff. The Plan is tested periodically through tabletop or live simulation exercises.

Article 8 – Governance and Amendments

  1. Responsibility: The DPO maintains this Plan, monitors compliance, and coordinates breach-response activities. Senior management ensures adequate resources and authority for incident response.
  2. Amendments: This Plan is reviewed annually or whenever laws, systems, or organisational structures change. The latest version is published on the official website. Major updates may be communicated via email or on-site notices.
  3. Governing law: This Plan is governed by Romanian law, and disputes shall fall under the jurisdiction of the competent courts of Buzău, Romania.

Ready to compete with the best?

Get started free Get started free
Footer Image