beta
Privacy Policy
Terms of Service
BOTHUB MICA Statement
Cookie Policy
Data Breach Policy
Data Request Policy
Data Subject Request Form
Disclaimer
General Terms and Conditions
Payment and Refund Policy
Security Policy

Data Breach Policy

Last Updated: 26 September 2025

1. Introduction

The General Data Protection Regulation (GDPR) protects the rights of individuals whose personal data is obtained, stored, processed, or shared. It requires organizations to take appropriate security measures and to report actual or suspected personal data breaches in a timely manner.

This Data Breach Policy sets out the procedures of Bothub Global AB (company no. 559431-4493, registered at Kungsgatan 32, 111 35 Stockholm, Sweden) (“Bothub”, “we”, “us”, “our”) as the Controller of personal data. “You”, “your” or “User” refers to the Data Subject.

2. What Is a Data Breach?

A Data Breach is a security incident leading to the accidental or unlawful:

  • Destruction,
  • Loss,
  • Alteration,
  • Unauthorized disclosure of, or
  • Unauthorized access to

personal data that is transmitted, stored, or otherwise processed.

Examples include (non-exhaustive):

  • Loss or theft of devices or files containing personal data (e.g., laptop, USB drive, paper file).
  • Weak or missing access controls allowing unauthorized access.
  • Equipment or system failure.
  • Human error (e.g., sending personal data to the wrong recipient).
  • Natural disasters (fire, flood) causing data loss.
  • Cyberattacks (hacking, phishing, malware).

3. Data Breach Response Team

  • In the event of a suspected or confirmed breach, the CEO will convene the Data Breach Response Team (DBRT).
  • The DBRT will include IT specialists, compliance/legal officers, and external experts if required.
  • The DBRT is responsible for:
    • Containing and investigating the breach.
    • Coordinating communications with Supervisory Authorities, affected Data Subjects, and relevant Third Parties.
    • Documenting all actions in the Data Breach Register (Annex II).
    • Implementing technical and organizational measures to mitigate risks.

The DBRT will remain active until the breach is fully managed and closed.

4. Notification to Supervisory Authorities

  • Bothub shall notify the relevant Data Protection Authority (DPA) without undue delay, and within 72 hours of becoming aware of a Data Breach, unless the breach is unlikely to result in a risk to the rights and freedoms of Data Subjects.
  • If notification is delayed, reasons must be documented.
  • Where the breach affects Data Subjects in more than one EU country, notifications shall be made to each relevant DPA.
  • Notifications must include:
    • Nature and scope of the breach.
    • Contact details of the responsible officer.
    • Likely consequences of the breach.
    • Measures taken or proposed to address the breach.

5. Notification to Data Subjects

If the breach is likely to result in a high risk to the rights and freedoms of Data Subjects, Bothub shall promptly inform affected individuals in clear and plain language, including:

  • Nature of the breach.
  • Contact details of the responsible officer.
  • Possible consequences.
  • Steps taken or planned to mitigate impact.
  • Practical advice for individuals on how to reduce potential risks.

Exceptions: Notification is not required if:

  1. Appropriate measures (e.g., encryption) made the data unintelligible.
  2. Subsequent measures eliminated the risk.
  3. Individual notifications would require disproportionate effort (in which case, public communication will be used).

All decisions to apply exemptions must be documented.

6. Communication with Third Parties

  • If Bothub processes personal data on behalf of a Third Party (as Processor) and a breach occurs, we shall notify the Third Party without undue delay (no later than 72 hours).
  • If a Third Party provides data to Bothub and a breach occurs, the DBRT will inform the relevant Third Party promptly.
  • Upon receiving a breach notification from a Third Party, the CEO will:
    • Form the DBRT.
    • Request necessary details.
    • Apply this Policy’s breach response steps.

7. Documentation and Register

  • All breaches (suspected or confirmed) must be logged in the Data Breach Register (Annex II), regardless of whether notification is required.
  • Documentation must include:
    • Facts relating to the breach.
    • Its effects and consequences.
    • Remedial actions taken.

8. Miscellaneous

  • Effective Date. This Policy is effective from the date above.
  • Changes. We may update this Policy as laws or practices evolve. The latest version will be published on our Website with the “Last Updated” date.
  • Governing Law. This Policy is governed by Swedish law. Disputes shall first be resolved through 30 days of good-faith negotiations, and failing that, by the Swedish courts, with Stockholm District Court as the court of first instance.
  • Interpretation. Headings are for convenience only. Undefined terms have the meaning given in our Privacy Policy and Terms of Service.
  • Language. This Policy is in English. In case of translation discrepancies, the English version prevails.

9. Contact Information

If you have questions about this Data Breach Policy, please contact us: [email protected].

You may also contact the Swedish Authority for Privacy Protection (IMY) or your local Data Protection Authority for complaints or inquiries: https://edpb.europa.eu/about-edpb/about-edpb/members_en

Consent to the use of cookies

🍪 Our website uses cookies

This site uses tracking technologies. You can control how we use this information. We use cookies to improve our product and your experience on our website according to our Cookie Policy.