(Choose 2 answers)
In case of a data breach, the data controller must... (Select multiple answers)
A. launch an internal investigation to assess the effects of the breach on its enterprise
B. launch an internal investigation with the collaboration of all suppliers processing data involved (if any) in order to assess the actual and possible impacts of the breach on data subjects
C. in any case notify the breach firstly to the data protection authority within 72 hours after having become aware of the data breach and then to the data subjects involved, if the data breach is likely to result in a risk to the rights and freedoms of individuals
D. notify the breach firstly to the data protection authority within 72 hours after having become aware of the data breach if the data breach is likely to result in a risk to the rights and freedoms of individuals, and then also to the data subjects involved, if such risk is high
an to ni
