Most recent Guidelines of the Polish Data Protection Office – recommendations in a nutshell

Publication date: October 23, 2025

Personal data breach – definition

Any activity that involves the processing of personally identifiable information is considered personal data processing. However, it’s important to remember that GDPR regulations do not apply to activities undertaken solely for personal or household purposes.

Examples of personal data processing:

• The online store collects customer data in order to fulfill orders.
• The educational institution stores information about students to monitor their academic progress.
• The accounting office processes client data in order to fulfill obligations related to accounting and tax settlements.

However, personal data protection regulations do not cover activities performed solely for private purposes, such as:

• Organizing contacts on a private mobile phone that is not used for professional or business purposes.
• Sharing private information about yourself online.
• Deleting files from your computer containing private medical information.

A personal data breach occurs when there is a breach in the security of personal data that may affect its confidentiality, integrity, or availability. This may occur whether it is accidental (e.g., error, negligence, or system failure) or intentional (e.g., theft, fraud, or hacking).

A personal data breach occurs when:

• An event is an incident security.
• Refers to processed personal data.
• It may lead to their unauthorized destruction, loss, modification, disclosure or access.

Therefore, events that do not meet these criteria will not be treated as a personal data breach.

Examples of personal data breaches:

• Destruction by fire of the only copy of documents containing personnel data (destruction).
• Loss of a flash drive with a customer database (loss).
• Unauthorized changes to student names in the university system as a joke (modification).
• Accidentally sending an unsecure contract containing personal data to the wrong recipient (disclosure).
• Bank account takeover by fraudsters (unauthorized access).

Events that do not constitute a personal data breach:

• A short-term lack of access to personal data caused by a scheduled IT system update (this is not a security incident).
• Loss of documents that do not contain personal data (e.g. financial documents that do not contain data enabling the identification of a natural person).
• Accidentally sending an email containing personal data to the wrong recipient, but within the organisation who has the appropriate permissions to access it (this does not lead to unauthorized disclosure of data).

Why are personal data breaches dangerous?

Security incidents, such as ransomware infections or improperly secured archives, can lead to the loss, disclosure, or destruction of personal data. The consequences of such breaches can include physical harm, property damage, non-property damage (e.g., stress, discomfort), and serious consequences such as identity theft or privacy breaches. It is crucial that organizations respond immediately to such incidents to minimize their negative impact.

A personal data breach occurs regardless of whether adverse consequences for individuals actually occur. Assessing whether such a situation is likely to occur and how severe it might be for one or more individuals is one of the key responsibilities of data controllers related to personal data breaches.

Event

It is a security incident

Concerning personal data

May violate confidentiality, integrity, or availability

 

Personal data protection breach

May result in physical harm, property damage or non-property damage to individuals

What are breaches of confidentiality, integrity and availability of personal data?

Processing must be secure, and personal data breaches can disrupt processing security in various ways. Their nature includes:

➢ breach of data confidentiality;

➢ data integrity violations;

➢ data availability violations.

Breaches of confidentiality of personal data

Confidentiality of personal data means that only authorized persons can access it, i.e. those who have appropriate authorization or a legal basis to take specific actions using personal data.

A breach of personal data confidentiality occurs in the event of:

➢ unauthorized disclosure of personal data;

➢ unauthorized access to personal data.

Unauthorised disclosure of personal data occurs when the person processing personal data allows unauthorized persons to become familiar with it.

Unauthorized access to personal data occurs when an unauthorized person independently (e.g. without authorization) obtains the ability to process it.

 

A breach of personal data confidentiality may include, among others:

➢ oral disclosure of personal data to unauthorized persons, obtained in connection with the profession or function performed;

➢ mistakenly sending an e-mail containing personal data to the wrong (and unauthorized) recipient (unless the con troller has proof of non-delivery of the message);

➢ throwing away documents containing personal data or leaving them in a place to which unauthorized persons have access;

➢ selling old telephones, computers or other media without first permanently deleting the personal data stored in their memories;

➢ failure to deprive a former employee of access to the IT system enabling viewing of personal data;

➢ unauthorized persons breaking into the room where documents containing personal data are stored (unless the controller has proof of lack of access to the documents);

➢ cybercriminals breaking the security of the IT system enabling access to personal data.

 

Personal data integrity breaches occur when personal data is tampered with or tampered with. This may occur in the following cases:

➢ any change made by an unauthorized person;

➢ an incorrect (e.g. accidental, erroneous, inaccurate, incomplete, outdated) change made by an authorized person (or the person fails to make an appropriate change).

 

A breach of the integrity of personal data may include, among others:

➢ entering incorrect personal data into the documentation;

➢ failure to enter changes to information in the database that should be updated;

➢ failure of electronic equipment resulting in the transformation of personal data processed by it;

➢ the operation of malicious software that makes changes to files containing personal data;

Personal data accessibility violations

The availability of personal data means that they can be processed without hindrance in accordance with their intended purpose by persons authorized to do so.

A breach of the availability of personal data occurs in the case of:

➢ unauthorized loss of personal data;

➢ unauthorized destruction of personal data.

Unauthorised loss of personal data refers to a situation in which it is temporarily or permanently impossible to use it, although it is possible to recover or reproduce it.

Unauthorized destruction of personal data occurs when it is irretrievably lost because the controller is unable to recreate it (e.g. from a backup copy).

 

A breach of the availability of personal data may include, among others:

➢ loss of paper documentation or electronic media (e.g. pendrive, SSD, CD) containing personal data (the only copy);

➢ permanent or temporary loss of access to personal data due to an IT system failure or cyberattack;

➢ loss of access to personal data due to blocking or deletion of the user account;

➢ loss of access to personal data due to technical problems of the cloud computing provider;

➢ destruction of the infrastructure storing personal data (e.g. archive rooms, servers) without the possibility of restoring access to the data within the planned time.

Personal data protection breach

Confidentiality	Integrity	Availability
Disclosure Access	Modification	Loss Destruction

What is the difference between a “personal data breach” and a “GDPR violation”?

The occurrence of a personal data breach does not, in itself, mean that the controller or processor has violated the GDPR. Although both are commonly referred to as “breaches”, their meanings are different. A GDPR breach results from conduct that is inconsistent with certain requirements set forth in this legislation, which may—but does not necessarily—contribute to security incidents.

The GDPR does not impose an obligation to prevent all possible breaches of personal data protection. If such an event occurs despite the proper performance of obligations by entities obligated to ensure the security of processing, they do not have to fear administrative sanctions.

Personal data protection violations	Violations of GDPR regulations
Security incident regarding personal data	Conduct inconsistent with GDPR regulations
Factual nature	Legal nature
The obligation to provide adequate reaction to the event	Obligation to adapt to the requirements
No sanctions Administrative	Administrative sanctions

 

Obligations related to personal data breaches

Who is an “administrator”?

Every organization processing personal data has a number of obligations aimed at ensuring the protection of this data. The key person responsible for fulfilling these obligations is the personal data controller – the entity that determines the purposes and methods of personal data processing. Controllers are responsible for compliance with the GDPR, including ensuring the security of processed data. Often, the purposes and methods of data processing are defined by law, e.g., national laws.

According to Article 4(7) of the GDPR, a controller is a natural person, legal person, public authority, agency, or other entity that, alone or jointly with others, determines the purposes and methods of personal data processing. Therefore, the status of a controller depends not only on contractual provisions, but also on the actual determination of the purposes and methods of data processing.

 

Obligations of personal data controllers:

Data controllers are obligated not only to prevent personal data breaches, but also to detect and respond to any data security incidents. In case of violations, the following duties may be activated:

• Take action to address the breach and minimize its effects.
• Assess the risk that the violation poses to the rights and freedoms of natural persons.
• Report a personal data breach to the relevant supervisory authority if there is a risk of a breach of the rights of natural persons.
• Inform data subjects about a breach if there is a high risk to their rights.
• Document all data breach incidents.

 

Responsibility of administrators:

Data controllers must demonstrate compliance with their data protection obligations, which is based on the principle of accountability. Therefore, they should collect appropriate documentation to confirm their compliance with the GDPR. These documents my include:

• Notes, instructions, correspondence,
• Audit and security test reports,
• Extracts from systems.

 

Joint controllers:

Where more than one entity jointly determines the purposes and methods of personal data processing, we are dealing with joint controllers. In such situations, responsibility for managing data breaches is shared. Joint controllers must agree on the division of responsibilities, specifying who will be responsible for reporting breaches to the supervisory authority and notifying data subjects.

 

Who is a “processor”?

A processor is an organization that processes personal data on behalf of a controller. It processes data only in accordance with the controller’s instructions, based on a contract or other legal instrument.

Pursuant to Article 4(8) of the GDPR, a processor is a natural person, legal person, public entity or other entity that processes personal data on behalf of the controller.

 

Obligations of processors:

Processors are obliged to:

• Prevent data breaches by ensuring an appropriate level of security and acting in accordance with administrators’ instructions.
• Detect any data breaches.

In the event of a personal data breach, processors must:

• Report any identified breach of personal data protection to the administrator.
• Support the controller in carrying out its breach management responsibilities.

While controllers are primarily responsible for managing data breaches, processors must also actively participate in the data protection incident response process.

 

Who is the Data Protection Officer (DPO)?

A Data Protection Officer (DPO) is a specialist who supports organizations in complying with personal data protection regulations. They provide GDPR advice, monitor compliance, raise staff awareness, and cooperate with the supervisory authority. In some cases, organizations are required to appoint a DPO. The DPO’s independence is crucial, and their duties should be free from conflicts of interest.

Main the tasks of the IOD are:

• Advising on personal data protection;
• Monitoring compliance with personal data protection rules;
• Staff training on GDPR regulations;
• Cooperation with the authority supervisory;
• Function as a contact point for both the supervisory authority and data subjects.

The role of the DPO in the event of a personal data breach:

The Data Protection Officer must be involved in all data protection matters, including personal data breaches. They should be promptly informed of any incident to monitor and support the organization in managing the data breach.

The DPO’s actions in the event of a personal data breach include:

• Supporting organisations in preventing breaches, e.g. by providing training, promoting data protection awareness and recommending security measures;
• Advice on responding to breaches, including reporting the breach to the supervisory authority and informing data subjects;
• Assistance in documenting violations and managing appropriate documentation;
• Providing the necessary information about the breach to the supervisory authority and data subjects.

Prohibitions for DPOs: DPOs cannot perform tasks assigned exclusively to data controllers or processors. This means that DPO should not:

• Report personal data breaches to the supervisory authority on behalf of controllers;
• Notify data subjects of breaches;
• Document violations on behalf of administrators;
• Make decisions on matters relating to the security of data processing;
• Act on the basis of a power of attorney in matters of personal data protection.

 

Consequences of inappropriate separation of roles: Inappropriate separation of duties can lead to a loss of objectivity by the DPO and, consequently, to the emergence of a conflict of interest. For this reason, it is essential that the DPO’s role is clearly defined and their independence is maintained.

Principles for preventing personal data breaches – risk-based approach:

 

What is a risk-based approach?

This is a key principle of the GDPR, which states that personal data protection measures should be tailored to the level of risk an organization faces when processing that data. Because each processing situation is unique, it requires individual analysis.

Risk assessment in GDPR:

• According to Recitals 75 and 76 of the GDPR, the risk assessment should take into account the potential harm that may result from a breach of the rights of natural persons. Controllers must assess the risks both before and during processing.
• GDPR provisions do not impose a specific obligation to implement specific security measures, but it is the controllers who are familiar with the details of the processing who decide on the appropriate data protection measures.

Types of risks:

• Risks related to processing: Covers hypothetical risks that may affect the rights of individuals and allows for the prevention of possible problems.
• Data breach risk: This refers to actual data breach incidents that require impact analysis and corrective action.

For high-risk data processing, the controller should conduct a data protection impact assessment (DPIA) and implement appropriate remediation measures. While the occurrence of a breach does not, in itself, constitute a flawed risk assessment, it should lead to a review and update of the assessment based on new experience.

Obligations of controllers (Article 24(1) GDPR):

• Implementation of appropriate technical and organizational measures in accordance with the GDPR.
• Regular browsing used security.
• Risk assessment both before and during the processing of personal data.

Controllers must be able to demonstrate that they have adequately assessed the risks and taken appropriate measures to protect personal data.

How to prevent personal data breaches?

Data controllers and processors are obligated to ensure data security by implementing appropriate technical and organizational measures. It is crucial to adapt these measures to current technological knowledge, implementation costs, and the specific nature of the processing – its nature, scope, context, and purposes, as well as the level of risk.

Selection of security measures

As circumstances and threats evolve, organizations should regularly review and improve their security measures. There is no universal list of data protection measures—each organization should choose them individually, taking into account its specific circumstances. Recognized standards can be used for this purpose, but their application should be flexible and tailored to the specific situation.

Article 32, paragraph 1 of the GDPR – Security of processing

According to the GDPR, security measures should include:

– Encryption and pseudonymization of personal data to reduce the risk of unauthorized access. – Ensuring the ongoing confidentiality, integrity, and availability of processing systems.

– The ability to quickly restore access to data in the event of a failure or incident.

– Regular testing of the effectiveness of the security measures in place to verify their effectiveness and make improvements as necessary.

Risk assessment and security adjustments

– Controllers must actively prevent incidents that may compromise data security.

– Article 32(2) of the GDPR indicates that a security assessment should consider the risk of accidental or unlawful loss, alteration, disclosure, or access to data.

– The choice of security measures should be tailored to the nature of the organization and its specific processing processes.

Preventing personal data breaches

Controllers and processors are required to implement effective technical and organizational measures to ensure the security of personal data. To achieve this goal, it is necessary to adapt the solutions used to current technological knowledge, implementation costs, and the specific nature of the processing – its nature, scope, context, and purposes. Because threats may change, organizations should regularly analyze and update data protection measures.

Organizational measures to prevent data breaches

To effectively minimize the risk of breaches, organizations should implement appropriate procedures and best practices, such as:

1. Data protection policy – establishing and implementing clear rules regarding the processing and protection of personal data.
2. Incident response – preparing plans for data recovery and restoring protection in the event of a breach.
3. Network traffic monitoring – systematic analysis of systems to detect unauthorized access attempts and anomalies in device usage.
4. Secure password policy – defining requirements for creating, storing and periodically changing passwords.
5. User and access management – granting and verifying data processing permissions and their timely deactivation in the event of role changes or employee departures.
6. IT security policies, including:

• Privacy by design – taking data protection into account at the system design stage.
• Privacy by default – the highest privacy protection standards are applied by default.
• Risk analysis – regular assessment of risks related to data processing.

7. Audit and penetration testing – identifying weaknesses in security systems and implementing corrective actions.
8. Staff training – building awareness and promoting good data protection practices among employees.
9. Regularly assess and update security measures – adapting security to changing technologies, processes and threats.

 

Technical data protection measures

To protect personal data from breaches, organizations should implement the following solutions:

1. Authentication

– Using strong, unique passwords that adhere to applicable standards.

– Implementing multi-factor authentication (MFA) for higher-risk accounts.

– Regularly updating login credentials and verifying their validity.

2. IT infrastructure security

– Regularly updating software and operating systems.

– Segmenting networks and isolating processing processes to minimize the spread of threats.

– Monitoring user activity and maintaining event logs.

– Verifying access based on IP addresses and modifying default port settings.

3. Email protection

– Encrypting messages and attachments.

Using the “Bcc” field when sending emails to multiple recipients.

Implementing anti-spam and anti-phishing filters.

4. Malware protection

– Use antivirus and anti-ransomware programs with real-time scanning.

– Create regular backups and store them on separate systems.

5. Protection of external devices

– Encryption of data stored on mobile devices.

– Implementation of VPN for secure remote access.

– Automatic account locking after multiple failed login attempts.

6. Security of paper documents

– Store in locked, damage-resistant locations.

– Destroy documents using professional shredders.

7. Secure data transport

– Encryption of data media such as flash drives and CDs/DVDs.

– Protection against unauthorized access and modification during transport.

Data controllers and processors must be able to demonstrate that they have implemented appropriate security measures tailored to the specific nature of their business. Systematic risk monitoring, reviewing security measures, and adapting them to emerging threats allows for effective protection of personal data and compliance with GDPR regulations.

 

Identification of personal data protection violations

How to detect data breaches?

To effectively manage data protection in accordance with the GDPR, quickly and accurately identifying potential breaches is crucial. Data controllers must have appropriate procedures and technical tools in place to determine whether an incident has occurred that threatens the security of personal data.

Violation detection can be accomplished in a variety of ways, including:

• reports from employees, co-workers or volunteers,
• information provided by processors (e.g. IT suppliers, outsourcing companies),
• signals from data subjects (e.g. customers, patients, students),
• alerts generated by monitoring systems (e.g. IDS, IPS, DLP),
• results of audits and compliance checks.

Systems supporting detection incidents:

• IDS (Intrusion Detection System) – monitors network traffic and informs about detected threats,
• IPS (Intrusion Prevention System) – detects suspicious activity and automatically blocks threats,
• DLP (Data Loss Prevention) – prevents unauthorized data leakage by monitoring system traffic.

Technical measures to support the detection of violations.

To effectively identify threats, organizations should implement modern technological solutions, such as:

1. Antivirus programs and firewalls – they protect systems against malware and detect potential attacks.
2. System logs and user activity analysis – enable real-time monitoring of activities and the detection of unauthorized operations.
3. Automatic notification systems – signal suspicious logins and unusual user behavior.
4. IAM (Identity and Access Management) systems – control access to data and prevent unauthorized activities.
5. SIEM (Security Information and Event Management) – collect and analyze data from various sources, enabling the rapid identification of threats.

 

Organizational measures to support the detection of violations

In addition to technology, effective data protection also requires the implementation of appropriate procedures and organizational measures:

1. Staff training – regularly educating employees on threat identification and appropriate incident response.
2. Incident reporting procedures – clear rules for reporting potential breaches and a rapid response to reports.
3. Designating responsible individuals – dedicated teams monitoring systems and analyzing data breaches.
4. Regular analysis of logs and security systems – ongoing verification of user activities and risk assessment.
5. Penetration testing and IT audits – identifying system vulnerabilities and eliminating them on an ongoing basis to minimize risk.

Effectively identifying personal data breaches requires a combination of technical and organizational measures. Organizations should continuously monitor their systems, train staff, and adapt procedures to evolving threats to effectively protect personal data and comply with GDPR requirements.

 

Detecting and managing personal data breaches

The role of processors in detecting violations

Because personal data processing often involves multiple entities, establishing clear rules for cooperation between the controller and processors is crucial. It is crucial to determine who should notify other parties of a potential incident and when. Efficient information exchange allows for rapid action and compliance with GDPR obligations.

When does a data breach occur?

Identifying a personal data breach requires its formal “ascertainment.” This refers to the point at which the controller obtains sufficient information to recognize the incident as a breach. This occurs when:

– A security incident has occurred.

– It affects personal data.

– It may result in their unauthorized disclosure, alteration, loss, or destruction.

 

Once a breach is identified, the controller should immediately take appropriate action. It is also important to precisely record the moment the incident was detected, as this information may be crucial for reporting the breach to the President of the Personal Data Protection Office and for maintaining mandatory documentation.

Obligations of processors

Processors are required to immediately notify the controller of any detected data breach. However, the final decision on whether an incident constitutes a breach rests with the controller, who is responsible for its assessment and subsequent steps.

 

How to manage data breaches?

Once a breach is detected and confirmed, the administrator must take immediate action to:

– Stop the incident – to limit its effects and prevent further spread of the problem.

– Minimize the consequences – to protect the individuals whose data has been breached.

– Restore security – to ensure system stability and eliminate the causes of the breach.

Each case requires an individual approach, so organizations should be prepared for various scenarios and respond appropriately to the scale of the incident.

 

Methods of limiting the effects of violations

– Securing documents or data media to prevent their further disclosure.

– Immediate termination of automated processes, such as sending emails to unauthorized recipients.

– Disconnecting infected devices from the network in the event of a cyberattack.

– Blocking the accounts of users responsible for the incident.

– Correcting any incorrect personal data that may have led to the breach.

 

Actions to minimize the risk to those affected by the breach

– Notifying data subjects so they can take appropriate measures (e.g., changing passwords, monitoring banking transactions).

– Contacting the unauthorized recipient of the data to obtain assurances of non-use and deletion.

– Attempting to recover documents or messages sent in error.

– Cooperating with the relevant authorities (e.g., UODO, CERT, police) to ensure an appropriate response to the breach.

 

Restoring security after a breach

– Restore data from backups if data is lost.

– Eliminate the causes of the breach, for example, by improving security or changing procedures.

– Analyze the incident and implement preventive measures to avoid similar situations in the future.

 

Obligations of processors regarding breach management

Processors should not only report detected breaches to the controller but also take action to mitigate their effects. Cooperation between the parties is crucial for effective incident management and ensuring personal data protection.

Personal data breach risk assessment

How to assess the risk of a personal data breach?

Personal data breaches can pose risks that could adversely affect the rights and freedoms of data subjects. Therefore, data controllers are required to conduct a risk assessment each time a breach is identified. The results of this assessment determine the next steps taken in response to the incident.

While not every data breach necessarily leads to a real threat to individuals’ rights, it’s crucial to assess the risk, not the actual damage. Data controllers should assess the potential consequences and the likelihood of their occurrence, taking into account several factors, such as:

– The type of data breach.

– The nature, sensitivity, and scope of the data being processed.

– The ease of identifying data subjects.

– The severity of the potential impact of the breach on data subjects.

– The specific characteristics of the data subjects, such as age or life situation.

– The specific characteristics of the data controller and the organization processing the data.

– The number of individuals whose data was affected by the breach.

It is important that data controllers focus on the individuals whose data they are processing, not the organization processing it, when conducting a risk assessment. The GDPR focuses on protecting individuals’ physical rights, so the assessment does not consider potential consequences for the entity processing the data.

Based on the risk assessment, controllers must determine whether the breach:

– Does not pose a risk to the rights and freedoms of data subjects.

– Does pose a risk, which requires reporting the breach to the President of the Personal Data Protection Office.

– Does pose a high risk, which requires reporting the breach to the President of the Personal Data Protection Office and informing data subjects.

 

Risk assessment in practice

Administrators should conduct a personalized risk assessment for each breach. While there is no single, perfect risk assessment method, a complete understanding of the specific data being processed and the risks associated with a given incident is crucial. The final risk assessment decision rests with the administrator, based on available information.

 

No risk

While generally every breach carries some risk, there are situations where it can be clearly stated that there is no risk. Such cases include:

– Breach of data that is already publicly available.

– Loss or disclosure of encrypted data if the encryption key is intact and the controller has a backup copy of the data.

 -Incidents that have already been completely fixed by the administrator.

 

High risk

A controller may determine that a breach poses a high risk to the rights and freedoms of individuals if the potential consequences of the incident are significant and/or likely to occur. There are many factors that may indicate a high risk, including:

– The breach of sensitive personal data, such as data concerning health, sexual orientation, political affiliation, biometric data, criminal conviction data, or financial data.

– The broad scope of data affected by the breach (the more data, the higher the risk).

– The severity of the potential consequences, such as identity theft, financial fraud, financial losses, professional problems, or health damage.

– The data subjects may be in particularly vulnerable situations, such as children, the elderly, or those in vulnerable situations, as well as the large number of people affected by the incident.

 

When assessing the risk of a breach of personal data confidentiality, the person to whom the data was disclosed is an important factor. If personal data is accidentally shared, the recipient may not be easily identifiable or, despite attempts to contact them, remain unknown to the controller. Furthermore, even if a relationship with the recipient exists, this may not always be sufficient to justify a more lenient assessment of the risk of negative consequences.

 

Trusted recipient

A “trusted recipient” is an entity that has inadvertently received personal data but who, due to prior positive cooperation with the controller, can be considered trustworthy. This ensures that such a recipient will respond appropriately to the incident and help mitigate the risk of infringement on the rights and freedoms of data subjects.

To consider a recipient “trusted”, administrators must, at a minimum:

1. Maintain an ongoing relationship with that entity (e.g., a business relationship or shared organizational structure).
2. Have knowledge of the recipient’s relevant security procedures and a history of prior, positive cooperation in similar situations.

The following may be considered “trusted recipients”:

1. Other departments within the controller’s organization.
2. Proven, long-term suppliers of the controller.
3. Data processors that cooperate closely with the controller.

The concept of a “trusted recipient” helps administrators more accurately assess the risk associated with a breach’s potential impact on individuals whose data has been exposed. While such a relationship may mitigate the risk assessment, it does not change the fact that the incident still constitutes a personal data breach. It’s important to remember that each case requires a case-by-case analysis, and not every entity can automatically be considered a “trusted recipient”.

The decision to designate an unauthorized recipient as “trusted” is always part of a risk assessment related to a specific personal data breach. Therefore, the “trusted recipient” status should be regularly monitored and, if necessary, amended depending on the situation.

Controllers must be able to demonstrate that they have adequately considered the concept of “trusted customer” in their personal data breach risk assessment.

 

Documenting personal data breaches

Documenting personal data breaches is not only the responsibility of data controllers but also an important tool for analyzing the causes and consequences of incidents, as well as assessing the effectiveness of the actions taken by the organization. This allows for transparency and accountability.

Any personal data breach that has been “identified”, regardless of type, nature, or risk of negative consequences, should be thoroughly documented. This is the only way for data controllers to provide detailed information about the events and actions taken, demonstrating that the situation was properly analyzed and appropriate steps were taken to protect the individuals whose data was breached.

Pursuant to Article 33(5) of the GDPR, the controller is obliged to document all personal data breaches, including the circumstances of the breach, its effects, and any remedial measures taken. This documentation must be sufficient to enable the supervisory authority to verify compliance with the GDPR.

While the documentation obligation mainly applies to “identified” personal data breaches, to comply with the accountability principle, controllers should also document incidents that have not been deemed to constitute a data breach, including the reasons for such a decision.

An internal register of personal data breaches can be helpful for this purpose. While maintaining such a register is not mandatory, it is important that the information is appropriately marked and available for review when necessary.

The documentation should include:

– Circumstances of the breach (date, time, method of detection, causes, type of breach, type and scope of data, number and categories of data subjects).

– Effects of the breach or possible effects on data subjects.

– Justification for the risk assessment.

– Remedial actions taken (to limit the breach and its effects) and preventive actions (to avoid similar incidents in the future).

– Details regarding reporting the breach to the President of the Personal Data Protection Office (date of reporting, reasons for delay, other relevant information).

– Details regarding notification of data subjects (date of notification, content, method, number of data subjects) or justification for the decision not to notify them.

Documentation should be updated regularly. Any new information about the incident, its impact, or remediation actions may impact the risk assessment and the accuracy of the log.

The GDPR does not specify specific periods after which information about breaches can be deleted. Therefore, controllers should retain this information for as long as possible. It is important that the registry does not contain personal data relating to individuals involved in incident management or those affected by the breach. If such data is included, data minimization principles should be applied.

 

Reporting personal data breaches to the supervisory authority

What is a “personal data breach report”?

A “personal data breach notification” is a formal notification to a supervisory authority of an incident that may threaten confidentiality, integrity, or availability of personal data. The notification aims to minimize the risk to data subjects through a prompt response by the controller and cooperation with the President of the Personal Data Protection Office. These actions help mitigate the negative effects of the breach and enable the supervisory authority to monitor whether controllers are complying with their obligations under the GDPR.

Controllers are obliged to report personal data breaches that may pose a risk to the rights or freedoms of natural persons.

It’s worth noting that reporting a data breach does not automatically mean that the controller is guilty of violating GDPR regulations, nor does it automatically lead to the initiation of legal proceedings. Reporting a data breach demonstrates the controller’s responsibility for data protection and its concern for the rights of individuals whose data may be at risk.

Exceptions to the obligation to report violations

Breaches that pose no risk to individuals do not require reporting. These are exceptional circumstances, and administrators must be able to demonstrate a lack of risk.

How to report personal data breaches?

Reporting a personal data breach must be made as soon as possible, no later than 72 hours after it has been “discovered”, regardless of public holidays.

Pursuant to Article 33(1) of the GDPR, the controller must notify the supervisory authority of a breach no later than 72 hours after becoming aware of the breach, unless the incident is unlikely to result in a risk to the rights and freedoms of natural persons.

You can report it using the form available on the UODO website.

The notification can be submitted in several ways:

➢ Electronically via the form on the biznes.gov.pl platform;

➢ Electronically via ePUAP to the address /UODO/ SkrytkaESP;

➢ Sending the form by e-mail to kancelaria@uodo.gov.pl (in emergency situations).

In the event of problems with the electronic system, a report can be sent by email and, once the failure has ceased, confirmed using the standard method.

Reporting violations by other entities

Data controllers are responsible for reporting personal data breaches. If there are multiple controllers, they should establish a division of responsibilities. Processors may only report breaches with the controller’s consent, and the details of this procedure must be included in the contract between the parties.

However, controllers remain responsible for reporting a breach, even if the report was made by a processor.

Types of reports

Administrators can report personal data breaches in three different ways:

➢ Initial report – contains basic information and requires further completion;

➢ Supplementary report – allows for updating information about the incident;

➢ Complete report – contains full information from the first report.

Pursuant to Article 33(4) of the GDPR, if full information is not available within 72 hours, it may be provided successively, without undue delay.

 

Delayed reporting of violations

If the report is made more than 72 hours after the violation is discovered, the administrator must include an explanation of the reasons for the delay.

Pursuant to Article 33(1) of the GDPR, in such cases, the notification must include a justification for the delay. Delays must be the result of exceptional circumstances.

Delays in reporting cannot be justified by, among others: ➢ The occurrence of a weekend or a public holiday when key personnel are unavailable (deadlines are not suspended for this reason);

– The absence of the person responsible for reporting due to vacation or sick leave, if the administrator has not provided a replacement;

– Lack of management time to approve the report, even though internal procedures should include immediate action;

– Waiting for the completion of an internal investigation aimed at assessing the incident;

– The need to gather additional information, which in such a case can be achieved by making an initial report and supplementing it later.

 

What information should be included in a personal data breach report?

Data controllers are required to provide the President of the Personal Data Protection Office with all relevant information regarding a personal data breach. The minimum requirements that must be met are specified in law.

Violation reporting requirements:

A personal data breach report must include at least:

1. Description of the nature of the violation, including:
   • Categories of personal data that have been breached.
   • The number of people whose data was affected by the breach.
   • Number of personal data entries affected by the incident.
2. Contact details: Name, surname and contact details of the Data Protection Officer (DPO) or other contact point where you can obtain additional information.
3. Description of the possible consequences of a personal data breach.
4. Measures taken or proposed to remedy the situation, including actions to minimise the effects of the breach.

Additional information worth considering:

• Basic data of the controller and other entities related to the incident (e.g. joint controllers, processors).
• Circumstances of the breach (date and time of the incident, method of detection, causes, course and type of data affected by the breach).
• The consequences of the breach, if any, or the potential consequences for individuals whose data was disclosed.
• Breach risk assessment.
• Remedial actions (already taken or planned), as well as deadlines for their implementation.
• Security measures to prevent similar incidents in the future, along with an expected date of implementation.
• Details of notification of individuals about the breach (date, method, content of notification, number of individuals if the controller has already notified individuals).
• Contact details of the DPO or other contact point within the organisation.

Properly reporting a personal data breach requires accuracy and diligence. Inaccuracies or excess information can slow down the verification process and incident response, which can ultimately lead to increased risk for those whose data has been breached.

 

Notifying data subjects of a personal data breach

What is a data breach notification?

The controller is obligated to notify data subjects if a breach is likely to result in a high risk to their rights and freedoms. The purpose is to inform individuals whose data has been breached so that they can take appropriate steps to protect their interests.

Obligation to notify:

If a personal data breach is likely to pose a high risk to the rights and freedoms of natural persons, the controller is obliged to inform these persons of the incident without delay.

Exceptions to the notification obligation:

The administrator does not have to notify individuals if:

1. Security measures have been implemented to eliminate risk (e.g. data encryption, which prevents access by unauthorized persons).
2. Following the breach, remedial actions were taken to eliminate the high risk.
3. Notification would require a disproportionate effort, in which case a general notice or similar means may be used to effectively inform individuals.

How to notify data subjects?

Administrators are obliged to ensure:

• Promptness: Notification should be made as soon as possible after the breach is discovered.
• Understandability: The message must be clear and accessible.
• Appropriate means of communication: Depending on the circumstances, these may include e-mails, letters, or website announcements.

Notifications by other entities:

Generally, controllers are responsible for notifying individuals. However, processors may only notify with the controller’s written authorization. In such a case, the notification must clearly indicate who the controller is and who the processor is.

Exceptional circumstances:

Notifications may be delayed if a law enforcement agency requires it for legitimate reasons, such as during an investigation.

Clear information for data subjects

Personal data breach notifications should be communicated in a clear, concise, and understandable manner, using simple and transparent language. They should be easy for the recipient to understand and contain essential information in a way that allows for quick assimilation. Such communication must be accessible so that data subjects can easily find all necessary information.

Methods of informing data subjects

Notifications should be addressed individually to each individual and provide information relevant to their situation. Because data breach can impact different individuals differently (e.g., depending on the type of data breached), data controllers should tailor the content of the communication to the recipient’s needs. The notification should allow for multiple review, so written communication (e.g., letter or email) is usually the most appropriate. Opting out of this form is only possible at the express request of the data subject.

Here are some examples of communication methods that may be used to inform individuals about data breaches:

• SMS
• E-mail
• Post traditional
• Personal transmission information

Notices must be delivered in a manner dedicated to this purpose and their content should not be combined with other communications such as advertisements or newsletters.

Alternative notification methods

In situations where individual notification would require excessive effort, controllers may consider providing information by:

• Public announcement
• Others as well effective means communication.

Such notices should be posted in clearly visible places and ensure long-term availability so that everyone can become familiar with their content.

When standard notification methods do not work

If controllers encounter difficulties in effectively reaching a data subject using the chosen method, they should consider alternative means of communication. If these also prove ineffective, controllers should ensure that further notification can be made in the future, for example, by contacting the party again.

Where there are deviations from standard notification methods, administrators must be able to justify why such action was necessary in the given situation.

What information should be provided to data subjects?

Controllers should provide individuals with all the information necessary to understand the situation and take appropriate actions to help them minimize the negative effects of a personal data breach.

 

Recital 86 of the GDPR

The notification should include a detailed description of the breach and recommendations regarding actions the individual should take to minimize possible adverse effects.

 

Legal provisions regarding notification to data subjects

Pursuant to Article 34(2) of the GDPR, the notification to the data subject must describe, in clear and plain language, the nature of the personal data breach and include the information required by Article 33(3)(b), (c) and (d) of the GDPR.

Important elements that should be included in the notification:

• Contact details of the controller and other entities involved in the incident, such as data processors
• Circumstances of the breach (including date and time of the incident, causes of the breach, type of data affected by the breach)
• The consequences or potential consequences of the breach for data subjects
• Taken or planned remedial measures
• Recommendations on actions a person should take to minimize the effects
• Contact details of the data protection officer or other contact point within the controller’s organisation

Data controllers must ensure that notifications are accurate, consistent, and complete. Avoid inaccuracies, such as misrepresenting the impact or omitting details about the data affected by the breach, as this can delay the incident response and increase the risk to data subjects.

 

Cross-border personal data breach

What is a “cross-border personal data breach”?

A “cross-border personal data breach” refers to a security incident that:

1. May affect the confidentiality, integrity or availability of personal data processed in two or more EU Member States; or
2. It may have a significant impact on the confidentiality, integrity or availability of personal data of individuals in more than one EU Member State.

Article 4(23) of the GDPR explains that “cross-border processing” means:

(a) Processing of personal data carried out in the Union in the context of the activities of establishments of a controller or processor in more than one Member State; or (b) Processing of personal data carried out in the Union but which has or is likely to have a significant impact on data subjects in more than one Member State.

Differences between domestic and cross-border personal data breaches

The main difference between a domestic and cross-border breach lies in the territorial scope of the incident and the need for cooperation between supervisory authorities in different EU Member States. The supervisory authority plays an important role, acting as the “lead authority”. This is the supervisory authority the country in which:

• The main organizational unit of the administrator is located, or
• Key decisions are made regarding data processing.

Actions of controllers in the event of cross-border data processing

Data controllers should be prepared to take the following actions in the event of a cross-border personal data breach:

1. Determining whether a data breach is cross-border in nature.
2. Identify the lead supervisory authority to which the breach should be reported and with whom further communication on the matter should be conducted.
3. Adapting the form and content of personal data breach notifications to situations where data subjects come from different EU countries. This may include, for example, taking into account language differences, local regulations, or specific circumstances that may affect how individuals receive the communication.

If there are any concerns regarding the lead supervisory authority, the controller should report the personal data breach to the local supervisory authority, which will be responsible for further steps and guidance on how to deal with the breach.

 

Source: https://uodo.gov.pl/pl/138/3561