Managing IT security incidents at EASA. This covers any event that leads potentially or actually to a damage to confidentiality, integrity or availability of information asset of EASA.
In case of IT security incidents which may involve personal data, the DPO must be informed as soon as possible. Except in case of extreme urgency, accessing personal data of data subjects should only be carried out with the authorisation of the Head of IT.
Except where a restriction listed in Article 25 of Regulation 2018/1725 applies, data subjects must be informed before the data is accessed or at the latest within one month after the data was accessed.
This data may be processed for actions of investigation, containment, remediation and information relating to the incident.