Agreement Without Undue Delay

Despite their ambiguity, or perhaps precisely because of this – you will find the terms “immediately,” “without undue delay” and “timely” (an exhaustive list would be… Exhausting!) notification of data protection violations and Business Association Agreements (AAS). As a result, data protection and compliance officials are unsure when they need specific direction. Many companies often spend hundreds or thousands of dollars an hour on compliance lawyers to interpret and negotiate notification periods described in BAAs. The RGPD refers in several places to the term “no delay (unjustified) “. The term is included in Article 5, paragraph 1 of the RGPD, which states that inaccurate data is immediately deleted or corrected taking into account the purposes for which it is processed. In addition, Article 12, paragraph 3, of the RGPD stipulates that the rights requests of the persons concerned must be carried out without delay but in any event within one month of receipt of the application. In addition, the subcontractor must inform the person in charge of the processing without delay when it considers that an investigation is contrary to the RGPD or other data protection provisions of the EU or Member States (Article 28, paragraph 3, of the RGPD) and that notification to the supervisory authority of a breach of personal data should in principle be carried out without delay (Article 33, paragraph 1, of the RGPD). In accordance with Article 34, paragraph 1, of the RGPD, the person in charge of the processing immediately informs the person concerned of the breach of personal data. I just saw your tweet in which she preferred “without delay” “without undue delay.” I tend to agree, but there is a good reason to continue to use “without undue delay” in German legal treaties. German law allows a recognized legal definition of the term “without delay” as “without wrongful delay, i.e. voluntary or negligent.” I therefore tend to use in my German legal contracts “without undue delay”, often followed by “immediately” in brackets, because it is so well linked to this definition. Excessive delay in initiation or completion or failure to take positive or corrective action after the developer has received written notifications from the department regarding the infringement.

With regard to Article 34, paragraph 1, of the RGPD, the EDPB decides on the term adopted in its WP 250 by the Article 29 Group on Data Protection on Guidelines for Reporting Personal Data Breaches in accordance with Regulation 2016/679: the RGPD stipulates that the transfer of an infringement to individuals should take place “immediately”, i.e. as soon as possible (p. 20). It is clear that the term “no undue delay” requires a case-by-case analysis, which takes into account the individual circumstances and conditions of each case, and is not subject to a harsh conceptual definition defining absolute concrete periods in which an act must take place.