GDPR requires companies to notify data breaches to the supervisory authority „…without undue delay and, where feasible, not later than 72 hours…“1 Insofar the notice period of 72 hours would include weekends companies were required to organise an urgency duty Saturdays and Sundays for the DPO and for relevant IT staff. But with reference to a EU-regulation dating from June 1971 the notice period shall be extended on weekend.
Does national law or EU-law apply?
According to German civil law the notice period would be calculated while excluding weekends. Insofar as a deadline is expiring on Saturday or on Sunday, the end of the deadline will be shifted to the next Monday.2 The same principle applies for public holidays.
But the application of national law bears the risk to lead to different notice periods in different member states. In one member state a controller may be regarded as compliant with GDPR since the a controller may be fined by the national DPA3 in a different member state for adhering to the same notice period.
In addition, the aim of the GDPR is to be equally applying to all member states. This derives from the character as EU-regulation and at the same time from the principle of primacy of EU-Law over national law. Therefore the caculation of the notice period must refer to EU-law.
Unfortunatly, the EDPB4 does not explicitly elaborate how to deal with the weekend in it’s respective working paper.5 The EDPB seems to be of the opinion that the notice period is exactly 72 hours regardless whether the period falls on a Saturday or S–unday.
Regulation (EEC, EURATOM) No 1182/71
In contrast to the EDPB, two German lawyers are referring to the Regulation (EEC, EURATOM) No 1182/71 when calculating the notice period for data breach.6 This regulation – dating from of 3 June 1971 – has the aim
“…to ensure the uniform application of Community law and consequently to determine the general rules applicable to periods, dates and time limits;…“
This intention exactly meets the need of GDPR to define the general rules not only on the level of data protection but equally in respect of the time limits for the data breach notice period. In addition, Regulation No 1182/71 has an effect on other areas of law for calculating periods – e.g. on public procurement law.7
How to calculate the notice period on weekend
Start and end of 72 hours period
According to GDPR the notice period for data breach begins with the knowledge of the data breach.8
When the period begins with an event (the knowledge) the very hour when the event occurs does not fall into the period in question according to Regulation No 1182/71. Rather the period begins to run at the hour that follows the hour where the event has occurred.9 Since the notice period terminates after a fixed time period (72 hours), the period ends with the expiry of the last hour of the period according to Regulation No 1182/71.10
start: 1st hour after event (knowledge)
end: expiring of the last of the 72 hours
Example: When the controller has become aware of the data breach on Monday at 14:30 the period begins to run on Monday at 15:00 and ends (after 72 hours) on Thursday at 15:00.
Notice period on weekend
Regulation No 1182/71 acknowledges the special situation of companies and public bodies during the weekend when usually no staff member is working. But the regulation does not explicitly mention weekends. The regulation rather turns the logic by requiring a minimum of working days11. Art. 3 (5) Regulation No 1182/71 states:
“Any period of two days or more shall include at least two working days.“12
The term “any period“ signalises that regardless whether the period is to be calulated on basis on hours, days or in any other way, every period which is longer than two working days has to acknowledge the special situation during the weekend.13 Since the notice period of the 72 hours is longer than two days, this rule is applying for the notice period of data breach according to GDPR.14
The calculation of periods on basis of days according to Regulation No 1182/71 follows the same principle than for the calculation of hours, which was mentioned above: The day of the event (knowlegde of data breach) is not considered as falling within the period in question.15 The day following the day on which the controller has become aware of the data breach is the first day of the period.16 The period of days terminates with the expiring of the last hour of the last day of the period.17
start: 1st working day after event (knowledge)
end: expiring of last hour of 2nd working day
Example 1: When the controller has become aware of the data breach on a Friday the period of two working days begins at Monday (Friday is the day of the event which does not fall within the period) and ends on Tuesday at midnight.
Example 2: When the controller has become aware of the data breach during on a Saturday the period of two working days begins at Monday (Saturday is the day of the event which does not fall within the period and Sunday is no working day) and ends at Tuesday at midnight.
The acknowledgement of the weekend fits to the needs and the working practise of companies and public bodies. Especially small companies will not be able to provide a weekend service for data breaches.
The controller has at least two working days available to notify of data breaches to the authorities when a weekend falls into the notice period of 72 hours. The day where the controller has become aware of the data breach is not part of the extended period. The relevant period starts with the first working day which is following the day on which the knowlegde occured. The period is expiring with the end of the second working day at midnight.
3 Data Protection Authority.
5 Art 29 Working Party, WP250rev.01, Guidelines on Personal data breach notification under Regulation 2016/679, page 10; adopted on 3 October 2017, as last Revised and Adopted on 6 February 2018; https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612052
6 Piltz/Pradel, Wie lange dauern 72 Stunden?; ZD (Zeitschrift für Datenschutz) 2019, 152
7 § 82 VgV (Vergabeverordnung); https://www.gesetze-im-internet.de/vgv_2016/__82.html
8 According to Art. 33 (1) GDPR; https://gdpr-info.eu/art-33-gdpr/
9 According to Art. 3 (1) Regulation (EEC, EURATOM) No 1182/71 of 3 June 1971; https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A31971R1182
10 According to Art. 3 (2) (a) Regulation (EEC, EURATOM) No 1182/71 of 3 June 1971; https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A31971R1182
11Art. 2 (2) Regulation No 1182/71 is defining working day: „For the purposes of this Regulation, ‘working days’ means all days, other than public holidays, Sundays and Saturdays.“; https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A31971R1182
12Art. 3 (5) Regulation No 1182/71; https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A31971R1182
13 Piltz/Pradel, Wie lange dauern 72 Stunden?; ZD 2019, 152 (156)
14 Art. 3 (3) and Art 3 (4) are not applicable to the 72 hours period of GDPR.
15 Art. 3 (1 – second subparagraph) Regulation No 1182/71; https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A31971R1182;
this calcualation is called in Latin „dies a quo non computatur in termino“, see e.g. ECJ, C-171/03, Maatschap Toeters and M.C. Verberk, of 11 November 2004.
16 The ECJ held – in contrast to the wording of Regulation No 1182/71 – that the day of the event („dies a quo“) is considered to be part of the period although the period starts to run with the first day after the day where the event has happend;
see ECJ, C-171/03, Maatschap Toeters and M.C. Verberk, of 11 November 2004: http://curia.europa.eu/juris/liste.jsf?language=en&num=C-171/03
17 According to Art. 3 (2) (b) Regulation No 1182/71; https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A31971R1182