![Default Article Featured Image_laptop-newspaper-global-article-090623[95].jpg](https://images.contentstack.io/v3/assets/bltd4dd5b2d705252bc/blt61f52659e86e1227/64ff207a8606a815d1c86182/laptop-newspaper-global-article-090623[95].jpg?width=3840&quality=75&format=pjpg&auto=webp)
Six months after the adoption of the ordinance implementing the 2009 e-Privacy Directive in August 2011, the implementation decree has finally been adopted.
The decree brings precision about the means and the content of the notification obligation. The notification to the CNIL must be made by letter provided against signature and specify the nature and consequences of the breach, the measures taken or contemplated to remedy the breach, the people to contact to obtain additional information and, if possible, an estimate of the number of impacted individuals.
The service provider is free to use any means to provide the notification to individuals as long as it can provide evidence of having done so. It must describe the nature of the data breach, the people to contact to obtain more information and the measures recommended to limit the adverse effects of the breach.
The decree specifies under which conditions the service provider can be exempted from the obligation to notify individuals. The CNIL must have considered that the service provider has efficiently applied appropriate protective measures which make the data unintelligible to any person not authorized to access it. The service provider must provide the CNIL with a complete record including, in particular, a description of the measures and of the steps taken to make them effective. If within two months the CNIL has not provided an opinion, then it is considered as negative and the service provider must notify the individuals.
The authority may also, in case of a serious breach, order the service provider to notify the individuals within a month.
