Personal Data Breach Procedure

INCIDENT RESPONSE PLAN

Procedure for Personal Data Breaches pursuant to Art. 33/34 GDPR

meisterwork GmbH
Version: 1.0
Last updated: 01/11/2025

1. Purpose and Scope

This plan governs how to deal with personal data breaches ("data breaches") at meisterwork GmbH. It ensures that:

• Incidents are detected and contained quickly

• Statutory notification obligations are fulfilled

• Affected individuals are appropriately informed

• Lessons are learned from incidents

Scope: All employees, resellers and sub-processors

2. Definition of a Personal Data Breach

A personal data breach occurs in the case of:

• Destruction: Unintentional or unlawful loss of data

• Loss: Data is no longer available

• Alteration: Unauthorised manipulation of data

• Unauthorised disclosure: Access by unauthorised persons

• Unauthorised access: Intrusion into systems

Examples:

• Hacker attack on the server

• Loss of data carriers

• Accidental e-mail sent to the wrong recipient

• Ransomware infection

• Unauthorised employee access

• SQL injection or other security vulnerabilities

• Note: In the case of issues with payment data, Stripe must be informed separately as the payment service provider

3. Organisational Structure

3.1 Incident Response Team

Data Protection Team Lead:

• Name: Georg Kitz

• Telephone: +43 720 317 836

• E-mail: support@bessa.app

• Deputy: Daniel Lichtenegger

Technical Lead:

• Name: Richard Marktl

• Responsible for: Technical containment

Communications Lead:

• Name: Daniel Lichtenegger

• Responsible for: External communication

3.2 Availability

• Telephone: +43 720 317 836

• E-mail: support@bessa.app

4. Procedural Steps

PHASE 1: IMMEDIATE MEASURES (0-4 hours)

1.1 Detection and Initial Assessment

Who: Any employee who detects an incident
What:

• Immediate notification to the Incident Response Team

• No unilateral actions

• Secure evidence (screenshots, logs)

Notification content:

• Time of detection

• Type of incident

• Affected systems / data

• Damage that has already occurred

• Initial estimate of the scope

1.2 Containment

Who: Technical Lead
What:

• [ ] Isolate affected systems

• [ ] Lock access

• [ ] Prevent further spread

• [ ] Check backup status

• [ ] Create forensic copies

1.3 Initial Documentation

Who: Data Protection Team Lead
What: Documentation in the incident log:

• Timestamps of all actions

• Persons involved

• Measures taken

• Communication

Contact for incidents: support@bessa.app

PHASE 2: ANALYSIS AND ASSESSMENT (4-24 hours)

2.1 Detailed Analysis

Determine scope:

• [ ] Number of affected records

• [ ] Categories of affected individuals

• [ ] Type of affected data

• [ ] Sensitivity of the data

• [ ] Period of unauthorised access

Root-cause analysis:

• [ ] How did the incident occur?

• [ ] Technical failure?

• [ ] Human error?

• [ ] Malicious act?

2.2 Risk Assessment

Risk matrix:

Note:

• Since no sensitive payment data (credit cards, bank details) is stored in the bessa system, the risk in case of data breaches is reduced. Payment data is processed exclusively via Stripe.

• Hospitality: No ID or registration data is processed in bessa, only billing data for additional services and, where applicable, customer loyalty data.

Decision tree:

• High risk → Notify the authority AND the affected individuals

• Medium risk → Notify the authority; inform the affected individuals on a case-by-case basis

• Low risk → Notify the authority; usually no information for affected individuals

PHASE 3: NOTIFICATION (24-72 hours)

3.1 Notification to the Authority (Art. 33 GDPR)

Deadline: Within 72 hours of becoming aware

To: The competent data protection authority

• Austria:

  datenschutzbehoerde@dsb.gv.at

• Germany:

  poststelle@bfdi.bund.de

Content of the notification:

1. Nature of the breach

2. Categories and approximate number of affected individuals

3. Categories and approximate number of records

4. Name / contact of the data protection officer

5. Likely consequences

6. Measures taken / proposed

Template: See Appendix A

3.2 Information of Affected Individuals (Art. 34 GDPR)

When: In the case of a high risk to rights and freedoms

Exceptions to the duty to inform:

• The data was encrypted

• Subsequent measures eliminate the high risk

• Disproportionate effort (then public announcement)

Content:

• Comprehensible description of the breach

• Contact details for further information

• Likely consequences

• Measures taken

• Recommendations for affected individuals

Communication channels:

• Direct e-mail (preferred)

• Letter

• Website notice

• App notification

PHASE 4: RECOVERY (1-7 days)

4.1 System Cleanup

• [ ] Remove malware

• [ ] Close security gaps

• [ ] Apply patches

• [ ] Reset passwords

4.2 Data Recovery

• [ ] Restore from backups

• [ ] Verify integrity

• [ ] Test functionality

4.3 Resumption of Operations

• [ ] Gradual activation

• [ ] Increased monitoring

• [ ] Communication to users

PHASE 5: FOLLOW-UP (7-30 days)

5.1 Lessons Learned

Conduct: Within 2 weeks after the incident

Participants:

• Incident Response Team

• Affected departments

• Management

Agenda:

1. Timeline of events

2. What went well?

3. What went badly?

4. Suggestions for improvement

5. Action plan

5.2 Documentation

Final report includes:

• Complete chronology

• Root-cause analysis

• Impacts

• Measures taken

• Costs

• Improvement measures

5.3 Preventive Measures

• [ ] Update security policies

• [ ] Strengthen technical measures

• [ ] Employee training

• [ ] Adjust processes

5. Special Scenarios

5.1 Ransomware Attack

1. Immediately: Disconnect the network

2. Check backup integrity

3. No ransom payment without legal advice

4. File a criminal complaint

5. Contact BSI / CERT

5.2 Data Leak by an Employee

1. Withdraw access rights immediately

2. Consider employment-law steps

3. Determine the scope of the disclosure

4. File a criminal complaint where appropriate

5.3 Loss of Hardware

1. Remote wipe if possible

2. Change passwords

3. Check encryption status

4. Notify the police in case of theft

5.4 Misdirected E-Mails

1. Attempt recall

2. Ask the recipient to delete

3. Request a confidentiality undertaking

4. Inform affected individuals

5.5 Hospitality-Specific Scenarios

Unauthorised access to billing data:

1. Lock access immediately

2. Determine the scope of the data viewed

3. Inform affected hotels / guests

4. Implement enhanced access controls

Incorrect room allocation:

1. Make corrections in the system

2. Correct affected invoices

3. Internal documentation

4. Review processes

5.6 Tax Advisor-Specific Scenarios

Unauthorised access by a tax advisor / accountant:

1. Lock access immediately

2. Inform clients

3. Determine the scope of the data viewed

4. Documentation for professional supervision

5. Where appropriate, report to the tax advisor chamber

Compromised tax advisor credentials:

1. Immediate password reset

2. Review of all access

3. Information to affected clients

4. Activate two-factor authentication

5. Security training for the firm

6. Communication Plan

6.1 Internal Communication

• Employees: Via intranet / e-mail

• Resellers: Immediate notification by e-mail

• Management: Personal information

6.2 External Communication

Communication matrix:

6.3 Communication Templates

• See Appendices B-E

7. Contact List

Internal Contacts

External Contacts

8. Technical Tools

8.1 Monitoring Tools

• AWS CloudWatch

• Intrusion Detection System

• Log analysis tools

8.2 Documentation Tools

• Incident tracking system (Jira)

• Encrypted communication

• Secure document storage

9. Training and Exercises

9.1 Training Plan

• Q1: General awareness raising

• Q2: Phishing simulation

• Q3: Incident response exercise

• Q4: Lessons-learned workshop

9.2 Exercise Scenarios

• Tabletop exercise (semi-annually)

• Technical simulation (annually)

• Communication exercise (annually)

10. Maintenance of the Plan

• Review: Annually or after major incidents

• Responsible: Data Protection Team Lead

• Next review: [date]

APPENDICES

Appendix A: Notification Template for the Data Protection Authority

Subject: Notification of a personal data breach pursuant to Art. 33 GDPR

Dear Sir or Madam,

We hereby report a personal data breach:

1. Contact details of the controller:

• meisterwork GmbH

• [Further details]

1. Time and nature of the breach:

• Date / time of the breach: [date]

• Date / time of becoming aware: [date]

• Nature: [Unauthorised access / loss / destruction]

1. Affected individuals and data categories:

• Number of affected individuals: [approx. X]

• Categories: [Customers / employees / etc.]

• Data categories: [Name, e-mail, etc.]

[Further details pursuant to Art. 33 GDPR]

Appendix B: Information Letter to Affected Individuals

[Template for information to affected individuals]

Appendix C: Internal Escalation Matrix

[Who is informed, and when]

Appendix D: Checklists

[Detailed checklists for each phase]

Appendix E: Legal Foundations

• GDPR Art. 33 – Notification to the supervisory authority

• GDPR Art. 34 – Information of affected individuals

• GDPR Art. 32 – Security of processing

Document history:

Approval:
Management: _________________ Date: _______