# Data Breach Response Plan

**Owner**: Luis Enrique Moya Rozas (Operator / Privacy Contact)
**Last reviewed**: May 20, 2026
**Document version**: 1.0

This document is the internal runbook for responding to a personal-data breach affecting the Easy Gsm Pro Portal or any CMS instance for which we act as processor.

It implements **Articles 33 (notification to supervisory authority) and 34 (notification to data subject) of the GDPR** plus equivalent obligations under LFPDPPP (Mexico), LGPD (Brazil), and the CCPA/CPRA breach-notification rules.

---

## What counts as a "personal data breach"

Per Article 4(12) GDPR — a breach is any security incident leading to:

- **Accidental or unlawful destruction** of personal data.
- **Loss** (e.g., backup corruption).
- **Alteration** (unauthorized modification).
- **Unauthorized disclosure** (e.g., backup exposed publicly).
- **Unauthorized access** (e.g., compromised admin credentials).

Even a brief exposure, an erroneous email send to the wrong recipient, or a misconfigured S3 bucket counts as a breach.

---

## Decision flow

```
[Detect/suspect incident]
    |
    v
[Triage within 24h]
    |
    v
Personal data involved? --[NO]--> Document; no notification obligation; review controls.
    |
   [YES]
    |
    v
Risk to rights and freedoms? --[NEGLIGIBLE]--> Document internally; no DPA notification.
    |
   [LIKELY]
    |
    v
[Notify supervisory authority within 72h (Art. 33)]
    |
    v
High risk to data subjects? --[NO]--> Done. Document.
    |
   [YES]
    |
    v
[Notify affected data subjects WITHOUT undue delay (Art. 34)]
    |
    v
[Post-mortem within 14 days]
```

---

## Step-by-step

### Step 1 — Detection and triage (target: within 24 hours of awareness)

1. Stop the bleeding: contain the incident first. Revoke compromised credentials, rotate keys, isolate compromised hosts.
2. Document the **first awareness timestamp** — the 72h clock starts NOW (not from breach occurrence, but from awareness).
3. Open an incident ticket with: timestamp, summary, suspected scope, immediate containment actions.
4. Preserve evidence: copy logs to a separate location before they rotate.

### Step 2 — Risk assessment

Evaluate:

- **Categories of data** affected (identifiers, financial, special category Art. 9, etc.)
- **Number of affected data subjects** (1 vs 1,000 vs 1,000,000).
- **Likelihood of harm**: identity theft, financial loss, reputational damage, discrimination, loss of confidentiality, physical harm.
- **Whether data was encrypted/pseudonymized** in a way that makes it unintelligible to the attacker.
- **Whether the attacker is known or unknown**.

If risk is "likely to result in a risk" → must notify supervisory authority.
If risk is "likely to result in a HIGH risk" → must notify affected data subjects too.

### Step 3 — Internal notification

Notify (immediately):

- **You** (operator/owner) — already involved.
- **Relevant CMS operator(s)** if the breach involves data we hold as processor on their behalf. They are the data controller and must be the ones notifying the supervisory authority.
- Any legal counsel engaged (recommended for first material breach).

### Step 4 — Supervisory authority notification (≤72h)

If we are the **controller** of the affected data (e.g., a breach of our license customer database, or the Portal's own data):

Notify the competent supervisory authority. For Mexico: INAI. For EU data subjects affected by a transfer: lead supervisory authority based on main establishment of the controller. For Germany (where infrastructure is hosted): BfDI or Bavarian DPA depending on case.

**Use the template at the bottom of this document.**

Must include (Art. 33(3)):

a) Nature of breach (categories and approximate number of data subjects and personal data records).
b) Name and contact of DPO/contact (us).
c) Likely consequences.
d) Measures taken or proposed.

If we are the **processor** for a CMS operator's data → we notify the CMS operator (the controller) "without undue delay" (Art. 33(2)). They handle the supervisory authority notification.

### Step 5 — Data subject notification (Art. 34)

If high risk → notify affected individuals **without undue delay**.

Notification must include (Art. 34(2)):

- Clear, plain-language description of breach.
- Name and contact of DPO/contact.
- Likely consequences.
- Measures taken or proposed.

May be communicated via: direct email (if email is the affected data, use alternative); public communication if individual notification is disproportionate effort and produces equally effective awareness.

Exceptions where notification not required (Art. 34(3)):

- Data was encrypted/pseudonymized such that attacker cannot identify subjects.
- We took subsequent measures eliminating the high risk.
- Individual notification would involve disproportionate effort → use public communication instead.

### Step 6 — Documentation (Art. 33(5))

Document every breach (regardless of notification obligation) in `breach_register.md` (separate file):

- Date and time of detection.
- Date and time of breach (if known).
- Description (nature, scope, data, subjects).
- Effects / actual consequences.
- Remedial actions taken.
- Decision tree result (notify? high risk?).
- If notification sent: to whom, when, copy of notification.

### Step 7 — Post-mortem (within 14 days)

- Root cause analysis.
- Process and technical fixes.
- Update TOMs (Annex 2 of DPA) if controls were inadequate.
- Update this runbook with lessons learned.

---

## Template: Supervisory authority notification

```
Subject: Personal Data Breach Notification — [Brief Description]

Dear [Supervisory Authority],

Pursuant to Article 33 of the GDPR, I am notifying you of a personal data breach
detected by [Luis Enrique Moya Rozas / Easy Gsm Pro].

1. CONTROLLER / PROCESSOR

   - Name: Luis Enrique Moya Rozas
   - Role for this breach: [controller / processor on behalf of <controller name>]
   - Contact: luisenriquemr96@gmail.com
   - Residence: Mexico; Portal infrastructure: Germany (Hetzner)

2. BREACH SUMMARY

   - Date/time of breach (best estimate): [YYYY-MM-DD HH:MM UTC]
   - Date/time of awareness: [YYYY-MM-DD HH:MM UTC]
   - Type of breach: [confidentiality / integrity / availability]
   - Description: [What happened, in plain language. 2-3 sentences.]

3. SCOPE

   - Categories of data subjects affected: [end-users of CMS X / our license
     customers / other]
   - Approximate number affected: [N]
   - Categories of personal data: [identifying / authentication / order data / etc.]
   - Special categories (Art. 9): [yes/no — describe]

4. LIKELY CONSEQUENCES

   [Identity theft? Financial loss? Reputational? Negligible because encrypted?]

5. MEASURES TAKEN OR PROPOSED

   [Containment actions already executed: rotated keys / revoked sessions / etc.
    Planned remediation: deploy fix X by date Y / notify subjects by date Z.]

6. CONTACT FOR FOLLOW-UP

   - Email: luisenriquemr96@gmail.com
   - Phone: [optional]

Regards,
Luis Enrique Moya Rozas
```

---

## Template: Data subject notification

```
Subject: Important — Security incident affecting your account

Hello,

We are writing to inform you of a security incident that may have affected your
account at [CMS NAME / Easy Gsm Pro].

WHAT HAPPENED

On [date], we [discovered/were notified of] a security incident in which
[plain-language description: e.g., "an unauthorized party accessed a database
backup containing user records"].

WHAT INFORMATION WAS AFFECTED

The incident may have exposed: [list categories — e.g., username, email, order
history]. It did NOT expose: [list what was protected — e.g., passwords, which
are stored as bcrypt hashes and remain unreadable].

WHAT WE ARE DOING

[Containment actions and remediation plan.]

WHAT YOU SHOULD DO

[Practical advice: change password if same password reused elsewhere; enable 2FA;
monitor for suspicious activity.]

If you have questions, reply to this email or contact us via
https://easygsmpro.com/legal/contact-privacy.

We sincerely apologize for the disruption and have taken steps to prevent
recurrence.

Sincerely,
Luis Enrique Moya Rozas — Easy Gsm Pro
```

---

## Contacts and resources

- **Mexico**: INAI — Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales — https://home.inai.org.mx
- **Germany / EU lead**: depends on the case. BfDI (federal) https://www.bfdi.bund.de or BayLDA (Bavaria for Hetzner Nuremberg) https://www.lda.bayern.de
- **UK**: ICO — https://ico.org.uk
- **Brazil**: ANPD — https://www.gov.br/anpd
- **EDPB guidelines on breach notification**: https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en