Incident register #
This page records every material incident affecting the confidentiality, integrity, or availability of personal data processed by EthicsPortal. It is maintained in the spirit of Article 33 GDPR (notification of personal data breaches) and as a matter of institutional transparency.
Last updated: April 2026.
Scope #
An entry is created for any of the following:
- A personal data breach as defined by Article 4(12) GDPR — “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.”
- A service outage exceeding two hours that prevented reporters from submitting reports or handlers from accessing active cases.
- A significant vulnerability in EthicsPortal or a subprocessor that required emergency mitigation.
- Any incident requiring notification to a supervisory authority under Article 33 GDPR.
Routine interruptions shorter than two hours, planned maintenance, and incidents that did not involve personal data are not recorded here.
Disclosure timeline #
- Within 72 hours of becoming aware of a personal data breach — notification to affected operators (controllers) via email, per Article 33(2) GDPR.
- Within 7 days of containment — preliminary entry added to this register with summary, affected data categories, and mitigation status.
- Within 30 days of containment — final entry with root cause, remediation, and lessons learned.
Entries remain public indefinitely. Entries are never edited to reduce embarrassment; corrections are appended as later entries.
Reporting a security concern #
To report a security issue affecting EthicsPortal, contact security@ethicsportal.eu. Encrypted reports welcome; PGP key on request.
Register #
No entries.
Last updated: