Just to add a bit of clarity; not all data breach/leaks have to be reported to the authority (AP). There can be valid reasons why a breach/leak hasnât (and shouldnât) been reported.
The organization has to make an assessment of the (potential) impact of the data breach on the protection of personal data and privacy of data subjects.
If a data breach is not likely to lead to a risk to the ârights and freedoms of data subjectsâ an organization does not have to report. Whether or not this is the case is up to the organization. But the assessment and decision has to be motivated and if requested (by the authority) explained).
Keep in mind that these assessments are generally not taken lightly by organizations as any decision can have significant legal consequences.
If an organization decides not to report it is still necessary to inform the impacted subjects and register the breach/leak in an internal register (which should be made available upon request to the authority + case-by-case motivations why there has been a report or not).
I am in no position to asses if a report to the authority should have been conducted in this specific case, but just wanted to add that a decision to not report a leak isnât a sign of trying to âhideâ a leak, malpractice or not acting lawfully
TLDR; by law an organization shouldnât report everything just for the sake of âbeing on the safe sideâ but make case-by-case assessments.