This procedure will be carried out in the event of any incident affecting the security of Personal Data. In any case, the actions described in sections

The following process shows the general flow followed in the procedure for managing security incidents regarding Personal Data:

· All Event Hub employees and contractors are obliged to report any security incidents relating to personal data to the Data Protection Officer(DPO).

This notification will be made through the email address info@eventhub.com.au or through any other formal communication channel.

· Incidents may occur in all activities related to the handling and management of information in physical format or logical databases that store personal data. Further scenarios that can be considered as a data breach, please refer to the “Definitions Section” of this document.

Once the security incident has been reported,

• The Data Protection Officer will formally record the security incident. In this regard, at least the following information shall be detailed:

Type of Incident.
Description of the Incident.
Date and time of the when Incident was observed.

User reporting the incident.

• If necessary, the Data Protection Officer may request technical support from internal and external authorities to analyze and identify the impact of the incident.

Once the security incident has been recorded, the following actions will be performed:

· The Protection Officer will evaluate the security incident.

· The category or level of criticality of that incident will be determined by the Data Protection Officer. Following classification helps in identifying the severity of security breaches.

In addition, there may be technical scenarios that may lead to an incident:

0-day (Unknown Vulnerability):

The 0-day vulnerability allows an attacker to access data to the extent that it is an unknown vulnerability. This vulnerability will be available until the manufacturer or developer resolves it.

APT (Targeted Attack):

This refers to different types of attacks that are normally aimed at gathering fundamental information that will allow the continuation of more sophisticated attacks. This category includes, for example, an email campaign with malicious software to employees of a company until one of them installs it on their computer and provides a gateway to the system.

Denial of Service (DoS/DDoS):

It consists of flooding a system with traffic until it is not able to provide service to its legitimate users.

Access to Privileged Accounts:

The attacker gets access to the system through a user account with advanced privileges, which gives him freedom of action. Previously, the user name and password must have been obtained by some other method, such as a targeted attack.

Malicious Code:

Pieces of software whose purpose is to infiltrate or damage a computer, server, or another network device for a variety of purposes. One of the possibilities for malicious code to reach an organization is for a user to unintentionally install it.

Compromise of Information:

Collects all incidents related to access and leakage, modification or deletion of non-public information.

Data theft and/or filtration:

Included in this category is the loss/theft of storage devices with information.

Defacement:

It is a type of directed attack that consists of the modification of the corporate website with the intention of posting messages of any kind or any other intention. The normal operation of the website is interrupted, causing reputational damage.

Exploitation of application vulnerabilities:

When a potential attacker successfully exploits an existing vulnerability in a system or product by compromising an organization's application.

Social Engineering:

These are deception-based techniques, usually carried out through social networks, which are used to direct a person's behavior or obtain sensitive information. For example, the user is induced to click on a link by thinking it is the right thing to do.

If any of these events happen to occur, the security incident must be reported:

As soon as the data controller becomes aware that a breach in the security of personal data has occurred, he must, without delay and no later than 72 hours after becoming aware of it, make the corresponding notification to the Supervisory Authority.

A security breach is considered to be recorded when there is a certainty that it has occurred and there is sufficient knowledge of its nature and scope.

The criterion to be taken into account in determining whether an incident has produced "a breach in the security of personal data" is included in the GDPR itself, and includes "all those security breaches that cause the accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or the unauthorized communication of or access to such data.

This communication shall be made using the communication model described as below, and shall contain the following information:

If at the time of notification, it is not possible to provide all the information, it may be provided at a later stage, gradually in different stages. The first notification shall be made within 72 hours, and at least one final or closing communication shall be made when all the information relating to the incident is available.

When the data controller makes the first notification, he or she shall state whether he or she will provide further information a posteriori. He may also provide additional information by means of intermediate communications to the supervisory authority at its request, or when the data controller considers it appropriate to update the situation of the supervisory authority.

Where initial notification is not possible within 72 hours, the notification shall also be made a posteriori and shall state and justify the reasons for the delay.

Notifications must be clear, concise, and include the information necessary for them to be properly analyzed.

Where an incident may affect the data of persons in more than one Member State, the controller should make an assessment of which is the main authority to which the notification should be made and, in case of doubt, at least notify the local supervisory authority where the breach has taken place. It will act as the main supervisory authority, the main establishment, or the sole establishment of the person responsible.

The criteria for identifying the main establishment are:

The place where the main headquarters of the data responsible is located.

The place where decisions about ends and means are made.

In the event of a security incident that poses a high risk to the rights and freedoms of concerned data subjects, this should be communicated to the affected parties in order to enable them to take measures to protect themselves from the consequences of the incident.

The Data Protection Officer is responsible for notifying the affected parties of the incident and must inform them of it within a reasonable period of time.

The notification will be made by email and will include the following information:

1. Contact details of the Data Protection Officer(DPO), or where appropriate, the contact point where further information can be obtained.

2. General description of the incident and when it occurred.

3. The possible consequences of the personal data security breach.

4. Description of personal data and information affected.

5. Summary of measures implemented so far to control possible damage.

6. Other useful information to those affected to protect their data or prevent possible damage.

If all the user data is lost and notification can’t be sent to affected Data Subjects

OR

If the effort that is required to identify the affected Data Subjects in that case and the Security Breach Notification should be made public through established channels including Website, Social Media, or any other means.