🚨 Report a Security Incident
If you suspect a security incident or data breach, contact us immediately at [email protected] or call our emergency line.
1. Purpose
This Breach Notification Policy outlines ADSMedia's procedures for detecting, responding to, and notifying relevant parties about personal data breaches in compliance with GDPR Articles 33 and 34.
Our goal is to:
- Minimize the impact of any breach on data subjects
- Meet our legal notification obligations
- Support our customers in meeting their obligations
- Continuously improve our security posture
2. Definition of a Personal Data Breach
A personal data breach is a security incident leading to the accidental or unlawful:
- Destruction of personal data
- Loss of personal data
- Alteration of personal data
- Unauthorized disclosure of personal data
- Unauthorized access to personal data
Examples of Breaches
🔴 Examples of Data Breaches
- Unauthorized access to customer email lists
- Accidental sending of emails to wrong recipients
- Loss or theft of devices containing personal data
- Ransomware attack encrypting customer data
- Employee accessing data without authorization
- Third-party sub-processor breach affecting our data
- Misconfigured server exposing personal data
3. Breach Response Timeline
| Phase | Timeline | Actions |
|---|---|---|
| Detection | Immediate | Identify and confirm the breach |
| Containment | Within 1 hour | Stop ongoing breach, isolate affected systems |
| Assessment | Within 24 hours | Determine scope, data affected, risk level |
| Customer Notification | Within 72 hours | Notify affected customers (Data Controllers) |
| Authority Notification | Within 72 hours* | Customer notifies supervisory authority if required |
| Documentation | Ongoing | Record all facts and decisions |
| Review | Within 30 days | Post-incident review and improvements |
* Customers (Data Controllers) are responsible for notifying supervisory authorities. We assist with required information.
4. Detection and Reporting
4.1 Detection Methods
We employ multiple methods to detect potential breaches:
- Automated Monitoring: 24/7 system monitoring and alerting
- Log Analysis: Continuous analysis of access and security logs
- Intrusion Detection: Network and host-based detection systems
- Employee Reports: Internal reporting mechanism
- Customer Reports: Reports from customers or third parties
- Vulnerability Scanning: Regular security assessments
4.2 Internal Reporting
All employees and contractors must immediately report any suspected breach to:
- Email: [email protected]
- Internal incident management system
- Direct escalation to management for critical incidents
5. Breach Assessment
Upon detection, we assess the breach to determine:
5.1 Scope Assessment
- What personal data was affected?
- How many data subjects are affected?
- Which customers (Data Controllers) are affected?
- What is the geographic scope?
5.2 Risk Assessment
- What is the likelihood of harm to data subjects?
- What is the potential severity of harm?
- Are there mitigating factors (e.g., encryption)?
- Is the data recoverable?
5.3 Risk Classification
| Risk Level | Criteria | Notification Required |
|---|---|---|
| Low | Unlikely to result in risk to individuals | Document only, no notification |
| Medium | Risk to rights and freedoms of individuals | Notify customers → they notify authority |
| High | High risk to rights and freedoms | Notify customers → they notify authority + data subjects |
6. Notification to Customers
As a Data Processor, we notify our customers (Data Controllers) of any breach affecting their data.
6.1 Notification Content
Our breach notification to customers includes:
- Description of the nature of the breach
- Categories of data affected
- Approximate number of data subjects affected
- Name and contact details of our privacy contact
- Likely consequences of the breach
- Measures taken or proposed to address the breach
- Measures to mitigate possible adverse effects
6.2 Notification Method
- Primary: Email to account owner and designated security contact
- Secondary: Phone call for high-severity incidents
- Dashboard: Alert posted in customer dashboard
- Follow-up: Written incident report within 7 days
7. Customer Obligations
As Data Controllers, our customers are responsible for:
- Notifying the supervisory authority within 72 hours (if required)
- Notifying affected data subjects (if high risk)
- Documenting the breach in their records
- Cooperating with supervisory authority investigations
We provide all information necessary for customers to meet these obligations.
8. Supervisory Authority Notification
Under GDPR Article 33, Data Controllers must notify the supervisory authority within 72 hours unless the breach is unlikely to result in a risk to individuals.
Our lead supervisory authority:
Data State Inspectorate of Latvia
Elijas iela 17, Riga, LV-1050, Latvia
Website: www.dvi.gov.lv
9. Data Subject Notification
Under GDPR Article 34, if a breach is likely to result in a high risk to individuals, the Data Controller must notify affected data subjects without undue delay.
We assist customers by providing:
- List of affected email addresses (or hashed identifiers)
- Template notification text
- Guidance on communication best practices
- Technical support for sending notifications
10. Documentation
We maintain records of all breaches, including:
- Date and time of detection
- Nature and scope of the breach
- Categories of data and data subjects affected
- Assessment of risk
- Containment and remediation actions taken
- Notifications sent (to whom and when)
- Decisions made and rationale
- Lessons learned and improvements implemented
Records are retained for a minimum of 5 years.
11. Post-Incident Review
Following any breach, we conduct a review to:
- Identify root cause
- Evaluate effectiveness of response
- Identify improvements to prevent recurrence
- Update security measures as needed
- Revise this policy if necessary
- Provide findings to affected customers
12. Preventive Measures
We implement ongoing measures to prevent breaches:
- Security Training: Regular staff training on data protection
- Access Controls: Principle of least privilege
- Encryption: Data encrypted in transit and at rest
- Monitoring: Continuous security monitoring
- Updates: Timely security patches and updates
- Testing: Regular penetration testing and security audits
- Container Isolation: Customer data isolated in separate containers
13. Contact Information
For security incidents or questions about this policy:
Security Team
Email: [email protected]
Privacy Team
Email: [email protected]
ADSMedia SIA
Riga, Latvia
14. Policy Updates
This policy is reviewed annually and updated as needed. Last updated: November 29, 2025.
📎 Related Documents
Privacy Policy · GDPR Compliance · Data Processing Agreement · Data Retention Policy