What is a Data Breach?

A Data Breach is an incident that involves sensitive, protected or confidential data that has potentially been viewed, stolen or used by an unauthorized individual. For instance, if a USB drive or another data storage medium that contains personal data is lost. Other examples of a Data Breach include, theft of a business cell phone or sending documents containing personal data to the wrong person.

What is personal data?

Personal data is information that relates to an identified or identifiable individual (natural person) such as an individual's name, address, birth date, bank account details, telephone number or customer ID.

Examples for Data Breaches that have to be notified to the authorities:

• A list containing names and private contact details of OSRAM employees is accidentally sent to the wrong recipient.
• Hackers (potentially) gain access to an OSRAM customer database.
• A department is moving offices. Parts of a cargo including hard copy documentation with employee personal data are addressed to the wrong building. As a result, giving unauthorized persons access to personal data.
• Lists containing personal information of OSRAM employees are thrown in the regular trash instead of confidential bins for secure disposal.
• A service provider is given access to the entire customer relationship tool containing hundreds of customer personal information even though this is not a requirement to perform the services.
• Due to a software bug, personal information stored in a customer portal are accessible to other users without prior registration or approval.

What does it mean if a Data Breach has to be notified?

Depending on the exact nature of the incident, OSRAM may be required to notify the appropriate authorities. In some cases, notification to the affected individuals and the impact on their right to Privacy, might be a requirement.

Is there a deadline for submitting a Data Breach notification?

Yes. Depending on where the Data Breach occurs and what personal data is affected, OSRAM may be required to submit the notification within 72 or even 48 hours. Therefore, it is very important that you inform the Corporate Data Protection Officer as soon as possible, if you become aware that a Data Breach might have occurred. “Tell OSRAM” offers a quick and simple solution for submitting data breach incident reports. For more information on how to send a report, please see the next Point.

How can I report a Data Breach?

To report a Data Breach, simply click on the button “Submit report” on the left-hand side of this entry page. You will be guided through the reporting procedure. In the course of the procedure, you have the opportunity to upload attachments with a size of up to 5 MB. After submitting a report, the tool automatically provides you with a reference. Please include this reference in your further communication with us. “Tell OSRAM” offers you the option to setup a secure postbox for further communication. Use of the secure postbox is not required to submit a report. You may also contact the Corporate Data Protection Officer at any time also by sending an e-mail to privacy@osram.com.

How does a Data Breach put OSRAM at risk?

Data Breaches may harm the good reputation and standing of OSRAM as a reliable and trustworthy company and impact our business prospects. The appropriate authorities may impose fines or other sanctions like regular audits on OSRAM. The affected individuals may be entitled to claim damages in case of a serious Data Breach.