The obligation to notify and the privilege against self-incrimination in personal data protection

Abstract

The GDPR stablishes for all the controllers and processors of personal data, the obligation to notify to the supervisory authority the breaches occurred to the personal data that they process. The infringement of this obligation shall be subject to administrative penalties, that are thus set as a coercive measure. If the personal data breach is related to an infringement of other obligations imposed by the GDPR to the same controller or processor, then the notification  may become a self-incriminating statement made under coercion. For those reasons, in this article we analyse the possibility of bringing the said notification or other evidence based on it, as incriminatory evidence against the subject on a proceeding for an offence under the GDPR.