Back to HomeSeatlr

Data Breach Handling Policy

1. Purpose of the Policy

This Data Breach Handling Policy establishes the procedures that Seatlr follows to detect, assess, respond to, and report personal data breaches in compliance with:

  • EU GDPR (Regulation (EU) 2016/679)
  • UK GDPR and the Data Protection Act 2018
  • Swiss Federal Act on Data Protection (nFADP)

The purpose of this policy is to ensure consistent and effective breach management across all jurisdictions where Seatlr processes personal data.

2. Scope

This policy applies to all personal data processed by Seatlr, including data collected, stored, transmitted, or otherwise handled through Seatlr software or any related systems, integrations, or third-party services, regardless of whether the data subjects are located in the EU, the UK, or Switzerland.

3. Definition of a Personal Data Breach

A personal data breach is any security incident that results in:

  • Accidental or unlawful destruction of personal data
  • Loss, alteration, unauthorized disclosure, or unauthorized access
  • Any compromise to confidentiality, integrity, or availability

This definition applies equally under EU GDPR, UK GDPR, and Swiss nFADP.

4. Responsibilities

4.1 Data Protection Officer / EU Representative / UK Representative (if applicable)

Responsible for:

  • Assessing the severity and impact of the breach
  • Determining notification obligations under EU, UK, and Swiss law
  • Coordinating communication with supervisory authorities
  • Coordinating communication with affected individuals
  • Ensuring documentation of all incidents

4.2 Internal Team Responsibilities

All employees, contractors, and system administrators must immediately report any suspected or confirmed breach to the DPO or designated contact.

5. Detection and Reporting of Breaches

5.1 Internal Reporting

Any individual who becomes aware of a potential breach must report it immediately.

5.2 Automated Detection (Seatlr Software)

Seatlr software may generate alerts or logs indicating unusual activity. These must be reviewed promptly to determine whether a breach has occurred.

6. Breach Assessment Procedure

Upon receiving a report, the DPO must:

  1. Identify the nature and scope of the breach
  2. Determine the categories and volume of personal data affected
  3. Assess the potential impact on individuals
  4. Determine applicable legal obligations (EU, UK, Swiss)
  5. Decide whether notifications are required

7. Notification Requirements

7.1 EU GDPR (72-Hour Rule)

If the breach is likely to result in a risk to individuals' rights and freedoms, the relevant EU Data Protection Authority must be notified within 72 hours.

7.2 UK GDPR

If the breach is likely to result in a risk to individuals' rights and freedoms, the ICO (Information Commissioner's Office) must be notified within 72 hours.

7.3 Swiss nFADP

Notification to the Swiss Federal Data Protection and Information Commissioner (FDPIC) is required if the breach poses a high risk to the personality or fundamental rights of affected individuals.

7.4 Notification to Affected Individuals

Under all three laws, individuals must be notified without undue delay if the breach poses a high risk to their rights and freedoms.

8. Documentation of All Breaches

Seatlr must maintain an internal record of all breaches, whether reportable or not, including:

  • Date and time of detection
  • Description of the incident
  • Systems affected (including Seatlr software)
  • Assessment results
  • Actions taken
  • Whether the breach was reported to EU, UK, or Swiss authorities

9. Mitigation and Remediation Measures

Seatlr will take appropriate steps to:

  • Contain the incident
  • Prevent further unauthorized access
  • Restore system integrity
  • Implement additional security controls
  • Review and update internal procedures

10. Use of Seatlr Software in Breach Management

Seatlr software is part of the data processing environment. Any breach involving data processed through Seatlr must follow this policy. Seatlr logs, audit trails, and system alerts may be used to investigate and document incidents.

11. Review and Updates

This policy will be reviewed annually or after any major incident to ensure continued compliance with EU GDPR, UK GDPR, and Swiss nFADP.

Privacy Policy|Terms & Conditions
Back to Home