According to some GDPR provisions, obligations of the controller are omitted or reduced if there is presumably no risk or only a lower risk. Some data protection experts dispute that the situation of no risk can exist at all. However, according to the wording of the GDPR, this possibility does exist.
The following data subject rights are omitted or weakened on the basis of risk:
Art. 33 I 1: “In the case of a personal data breach, the controller shall […] notify the personal data breach to the supervisory authority […], unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.”
Art. 34 I: “When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.”
Art. 34 III a: “The communication to the data subject referred to in paragraph 1 shall not be required if the controller has implemented appropriate technical and organisational protection measures […].”
Art. 34 III b: “The communication to the data subject referred to in paragraph 1 shall not be required if the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise.
For the risk-based approach in general see Tiles BC.02 and PC.11. Literature dealing with the risk-based approach: Tile L.02.