menu MENU
arrow_back Back to the list of all Articles
Change country (Currently : Poland) language
Contact our local member in Poland mail_outline
Visit the website of GKR Legal account_balance

arrow_backPrevious Article
Article 33
Next Articlearrow_forward

Notification of a personal data breach to the supervisory authority

Official
Texts Guidelines Caselaw Review of
EU Regulation Review of
Nat. Regulation
Show key term(s) and Article(s) related to article 33 of the Regulation keyboard_arrow_down Hide key term(s) and Article(s) related to article 33 keyboard_arrow_up

Articles related to article 33

Key words related to article 33

Show the recitals of the Regulation related to article 33 keyboard_arrow_down Hide the recitals of the Regulation related to article 33 keyboard_arrow_up

(85) A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned. Therefore, as soon as the controller becomes aware that a personal data breach has occurred, the controller should notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the controller is able to demonstrate, in accordance with the accountability principle, that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where such notification cannot be achieved within 72 hours, the reasons for the delay should accompany the notification and information may be provided in phases without undue further delay.

(86) The controller should communicate to the data subject a personal data breach, without undue delay, where that personal data breach is likely to result in a high risk to the rights and freedoms of the natural person in order to allow him or her to take the necessary precautions. The communication should describe the nature of the personal data breach as well as recommendations for the natural person concerned to mitigate potential adverse effects. Such communications to data subjects should be made as soon as reasonably feasible and in close cooperation with the supervisory authority, respecting guidance provided by it or by other relevant authorities such as law-enforcement authorities. For example, the need to mitigate an immediate risk of damage would call for prompt communication with data subjects whereas the need to implement appropriate measures against continuing or similar personal data breaches may justify more time for communication.

(87) It should be ascertained whether all appropriate technological protection and organisational measures have been implemented to establish immediately whether a personal data breach has taken place and to inform promptly the supervisory authority and the data subject. The fact that the notification was made without undue delay should be established taking into account in particular the nature and gravity of the personal data breach and its consequences and adverse effects for the data subject. Such notification may result in an intervention of the supervisory authority in accordance with its tasks and powers laid down in this Regulation.

(88) In setting detailed rules concerning the format and procedures applicable to the notification of personal data breaches, due consideration should be given to the circumstances of that breach, including whether or not personal data had been protected by appropriate technical protection measures, effectively limiting the likelihood of identity fraud or other forms of misuse. Moreover, such rules and procedures should take into account the legitimate interests of law-enforcement authorities where early disclosure could unnecessarily hamper the investigation of the circumstances of a personal data breach.

There is no recital in the Directive related to article 33.

The GDPR

Article 33 of the Regulation generalizes the obligation of notification of data breaches to the supervisory authority by specifying it (see also G29, Opinion 03/2014 of 25 March 2014, on the notification of personal data breaches).

Pursuant to Article 33 (1), any personal data breach, as defined in Article 4 (12 of the Regulation, i.e., “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” must be notified to the supervisory authority as a rule.

In the second proposed version of the Regulation, only data breach that are likely to expose individuals to risk in terms of their rights and freedoms were covered by the obligation of notification to the supervisory authority. Examples were contained in Article 33 (1): discrimination, identity theft or impersonation, financial loss, unauthorised reversal of the pseudonymisation, loss of reputation, loss of confidentiality of data protected by the professional secrecy or any other significant economic or social damage.

In its latest version, the rule is reversed: any breach of data must be subject to a notification unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. 

The regulation also sets the time limits for notification as the breach becomes known to the controller. The notification must be made without unjustified delay and, if possible not later than 72  after the controller having become aware of the breach. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

The processor shall notify the controller without undue delay after becoming aware of a personal data breach.

The minimum content of the notification - part of which may be deferred (without undue delay, see Art. 33 (4) is also set by the provision:

- description of the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned (Art. 33 (3), a));

- the name and contact details of the data protection officer or other contact point (Article 33 (3), b));

- description of the likely consequences of the personal data breach (Article 33 (3), c)); 

- description of the measures taken or proposed to be taken by the controller to address the personal data breach (Article 33 (3), d)).

Finally, the controller must keep track of each breach indicating its context, its effects and the measures taken to remedy. This documentation will enable the supervisory authority to check compliance with Article 33.

The Directive

The Directive did not provide for an obligation of notification in the event of a personal data breach. On the other hand, a notification mechanism had been set up by the Directive 2002/58/EC on privacy and electronic communications, included into the Regulation No. 611/2013 on measures relating to the notification of personal data breaches.

Potential issues

Since not all data breaches result in obligatory notification, the question arises about assessing the likely absence of risk to the violation of the rights and freedoms of data subjects. Delicate evaluation in practice which, in view of the possible sanctions (see Article 83), should bring the persons responsible for maintaining a delicate balance between the fear of punishment and the fear of the damage to their image that may result from the notification of the violation to the authorities (and, where appropriate, to the data subjects - see Article 34).

arrow_back Previous ArticleArticle 33Next Article arrow_forward
arrow_back Previous ArticleArticle 33 Next Article arrow_forward

Summary

European Union

European Union

European Data Protection Board (EDPB)

Guidelines on Examples regarding Personal Data Breach Notification - 1/2021 (14 December 2021)

Link

Guidelines 9/2022 on personal data breach notification under GDPR (28 March 2023)

The GDPR introduced the requirement for a personal data breach (henceforth “breach”) to be notified to the competent national supervisory authority (or in the case of a cross-border breach, to the lead authority) and, in certain cases, to communicate the breach to the individuals whose personal data have been affected by the breach.

Obligations to notify in cases of breaches existed for certain organisations, such as providers of publicly-available electronic communications services (as specified in Directive 2009/136/EC and Regulation (EU) No 611/2013) . There were also some Member States that already had their own national breach notification obligation. This might included the obligation to notify breaches involving categories of controllers in addition to providers of publicly available electronic communication services (for example in Germany and Italy), or an obligation to report all breaches involving personal data (such as in the Netherlands). Other Member States might had relevant Codes of Practice (for example, in Ireland ). Whilst a number of EU data protection authorities encouraged controllers to report breaches, the Data Protection Directive 95/46/EC , which the GDPR replaced, did not contain a specific breach notification obligation and therefore such a requirement was new for many organisations. The GDPR makes notification mandatory for all controllers unless a breach is unlikely to result in a risk to the rights and freedoms of individuals8 . Processors also have an important role to play and they must notify any breach to their controller .

The EDPB considers that the notification requirement has a number of benefits. When notifying the supervisory authority, controllers can obtain advice on whether the affected individuals need to be informed. Indeed, the supervisory authority may order the controller to inform those individuals about the breach. Communicating a breach to individuals allows the controller to provide information on the risks presented as a result of the breach and the steps those individuals can take to protect themselves from its potential consequences. The focus of any breach response plan should be on protecting individuals and their personal data. Consequently, breach notification should be seen as a tool enhancing compliance in relation to the protection of personal data. At the same time, it should be noted that failure to report a breach to either an individual or a supervisory authority may mean that under Article 83 GDPR a possible sanction is applicable to the controller.

Controllers and processors are therefore encouraged to plan in advance and put in place processes to be able to detect and promptly contain a breach, to assess the risk to individuals, and then to determine whether it is necessary to notify the competent supervisory authority, and to communicate the breach to the individuals concerned when necessary. Notification to the supervisory authority should form a part of that incident response plan.

The GDPR contains provisions on when a breach needs to be notified, and to whom, as well as what information should be provided as part of the notification. Information required for the notification can be provided in phases, but in any event controllers should act on any breach in a timely manner.

In its Opinion 03/2014 on personal data breach notification12, WP29 provided guidance to controllers in order to help them to decide whether to notify data subjects in case of a breach. The opinion considered the obligation of providers of electronic communications regarding Directive 2002/58/EC and provided examples from multiple sectors, in the context of the then draft GDPR, and presented good practices for all controllers.

The current Guidelines explain the mandatory breach notification and communication requirements of the GDPR and some of the steps controllers and processors can take to meet these obligations. They also give examples of various types of breaches and who would need to be notified in different scenarios.

Link

Retour au sommaire

Article 29 Working Party

Guidelines on Personal data breach notification under Regulation 2016/679 - wp250rev.01 (6 February 2018)

(Endorsed by the EDPB)

The General Data Protection Regulation (the GDPR) introduces the requirement for a personal data breach (henceforth “breach”) to be notified to the competent national supervisory authority (or in the case of a cross-border breach, to the lead authority) and, in certain cases, to communicate the breach to the individuals whose personal data have been affected by the breach.

Obligations to notify in cases of breaches presently exist for certain organisations, such as providers of publicly-available electronic communications services (as specified in Directive 2009/136/EC and Regulation (EU) No 611/2013). There are also some EU Member States that already have their own national breach notification obligation. This may include the obligation to notify breaches involving categories of controllers in addition to providers of publicly available electronic communication services (for example in Germany and Italy), or an obligation to report all breaches involving personal data (such as in the Netherlands). Other Member States may have relevant Codes of Practice (for example, in Ireland). Whilst a number of EU data protection authorities currently encourage controllers to report breaches, the Data Protection Directive 95/46/EC, which the GDPR replaces, does not contain a specific breach notification obligation and therefore such a requirement will be new for many organisations. The GDPR now makes notification mandatory for all controllers unless a breach is unlikely to result in a risk to the rights and freedoms of individuals. Processors also have an important role to play and they must notify any breach to their controller.

The Article 29 Working Party (WP29) considers that the new notification requirement has a number of benefits. When notifying the supervisory authority, controllers can obtain advice on whether the affected individuals need to be informed. Indeed, the supervisory authority may order the controller to inform those individuals about the breach. Communicating a breach to individuals allows the controller to provide information on the risks presented as a result of the breach and the steps those individuals can take to protect themselves from its potential consequences. The focus of any breach response plan should be on protecting individuals and their personal data. Consequently, breach notification should be seen as a tool enhancing compliance in relation to the protection of personal data. At the same time, it should be noted that failure to report a breach to either an individual or a supervisory authority may mean that under Article 83 a possible sanction is applicable to the controller.

Controllers and processors are therefore encouraged to plan in advance and put in place processes to be able to detect and promptly contain a breach, to assess the risk to individuals, and then to determine whether it is necessary to notify the competent supervisory authority, and to communicate the breach to the individuals concerned when necessary. Notification to the supervisory authority should form a part of that incident response plan.

The GDPR contains provisions on when a breach needs to be notified, and to whom, as well as what information should be provided as part of the notification. Information required for the notification can be provided in phases, but in any event controllers should act on any breach in a timely manner.

In its Opinion 03/2014 on personal data breach notification, WP29 provided guidance to controllers in order to help them to decide whether to notify data subjects in case of a breach. The opinion considered the obligation of providers of electronic communications regarding Directive 2002/58/EC and provided examples from multiple sectors, in the context of the then draft GDPR, and presented good practices for all controllers.

The current Guidelines explain the mandatory breach notification and communication requirements of the GDPR and some of the steps controllers and processors can take to meet these new obligations. They also give examples of various types of breaches and who would need to be notified in different scenarios.

Link

Retour au sommaire

National authority

The Polish supervisory authority - Prezes Ochrony Danych Osobowych, has issued guidelines on a notification of a personal data breach to the supervisory authority: https://uodo.gov.pl/pl/138/3561

Highlights of the guidelines:

7. Assessment of the risk related to personal data breaches

7.1. How to assess the risk related to personal data breaches?

Some personal data breaches may adversely affect the situation of data subjects, creating a risk to their rights or freedoms.

The consequences of incidents may vary. For this reason, controllers are required to carry out an individual assessment of the risk to the rights and freedoms of natural persons each time they “become aware” of a personal data breach. The outcome of that assessment determines the subsequent steps taken in relation to each incident.

Note:
It may be the case that a personal data breach ultimately does not lead to an infringement of the rights or freedoms of natural persons. Controllers assess only the risk that such a situation may occur, rather than the damage actually suffered.

In order to assess the risk properly, controllers should estimate:
➢ the severity of the potential consequences; and
➢ the likelihood of their occurrence;

taking into account the following circumstances of the incident:

➢ the type of personal data breach;
➢ the nature, sensitivity and volume of the personal data;
➢ the ease of identification of the data subjects;
➢ the severity of the consequences for the data subjects;
➢ the particular characteristics of the data subjects;
➢ the particular characteristics of the controller;
➢ the number of data subjects.

Note:
The GDPR concerns only the rights and freedoms of natural persons. Accordingly, when assessing the risk related to a personal data breach, the consequences for the organisation processing the data as such (e.g. a legal person) are irrelevant. In this process, controllers should adopt the perspective of the data subjects.

Controllers must determine whether a personal data breach may involve:
➢ no risk;
➢ a risk, which requires notification to the President of the Personal Data Protection Office (UODO); or
➢ a high risk, which entails an obligation to notify the President of the Personal Data Protection Office (UODO) and to communicate the breach to the data subjects.

Other obligations, such as addressing personal data breaches and documenting them, apply to all “established” personal data breaches, irrespective of the outcome of the risk assessment.

There are many different methods of risk estimation; however, none guarantees correct results. Nothing can replace a thorough understanding of the specific nature of the processing and an awareness of existing threats. Controllers should be sufficiently familiar with the process to be able to oversee it and, in each case, to take the final decisions on the risk assessment themselves.

Note:
Controllers must be ready to demonstrate that they have properly assessed the risk related to a personal data breach and, on that basis, have taken appropriate measures.

No risk
Although, as a rule, personal data breaches entail some risk to the rights and freedoms of natural persons, there are situations in which it can be clearly established that such a risk is unlikely to materialise.

These include, in particular, cases involving:
➢ disclosure of data that is already publicly available;
➢ disclosure or loss of data encrypted in a manner ensuring that it is unintelligible to unauthorised persons (where such data are secured with a key that has not been compromised, and the controller has access to a backup copy);
➢ incidents that the controller has definitively remedied.

Example 7.1.1
An employee of a publishing house mistakenly sent unauthorised person details of a well-known writer’s illness, which were to be included in his autobiography. However, the information had previously been disclosed by the writer himself in a television interview and on social media, where he publicly shared the story of his illness. In such a case, it could be clearly established that there was no risk to the rights or freedoms of the data subject.

Example 7.1.2
A laptop belonging to an employee of a dental clinic containing patient data was lost. The device was protected by encryption using a reliable method (given the then-current state of technical knowledge), and the encryption key was neither lost nor broken. In addition, the clinic had a backup copy of all patient information. In such a case, it could be clearly established that there was no risk to the rights or freedoms of the data subjects.

Example 7.1.3
An employee of a construction company disposed of HR and financial documents (containing, inter alia, first names, surnames, PESEL numbers and information on remuneration) in a waste container located on the company’s closed and monitored premises. After approximately one hour, the employee realised the mistake and the controller took immediate action, retrieving and securing the documents. Although the incident could initially have led to serious consequences, the recordings confirmed that no unauthorised persons had accessed the documents and that the incident had been effectively remedied. In such a case, it could be clearly established that there was no risk to the rights or freedoms of the data subjects.

It should be borne in mind that, over time or as further information becomes available, the risk assessment may need to be updated.

High risk

Controllers may determine that a personal data breach entails a high risk to the rights and freedoms of natural persons. This means that the potential consequences of the incident may be:
severe; and/or
highly likely to occur.

While each incident must be assessed on a case-by-case basis, taking into account various criteria, certain circumstances may indicate high risk, including, inter alia:
➢ the breach involving sensitive personal data (such as information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, financial data, genetic data, biometric data, data concerning health, data concerning a natural person’s sex life or sexual orientation, as well as data relating to convictions and offences), and also information commonly used to verify identity or conclude contracts, such as the series and number of an identity card and the PESEL number;
➢ a broad scope of personal data affected by the incident (the broader the scope, the higher the risk);
➢ the particular severity of the possible consequences of the incident (such as identity theft, financial fraud, financial loss, professional difficulties, harm to health, severe stress, anxiety and a reduced sense of security);
➢ the particular nature of the persons affected by the incident (such as children, older persons and persons in need or in a difficult life situation);
➢ a large number of persons affected by the incident (the greater the number, the higher the likelihood of a negative consequence).

Example 7.1.4
A cyberattack on a travel agency resulted in the disclosure of data of thousands of customers, including PESEL numbers, residential addresses, telephone numbers, passport numbers and travel history. The combination of PESEL numbers and other identifying data entails a serious risk, as it may enable contracts to be concluded, loans to be taken out or services to be obtained in another person’s name. With such data, criminals may attempt to access bank accounts, create fraudulent bookings or manipulate data in financial systems. As a result, persons affected by the breach of confidentiality may be exposed to identity theft, financial fraud and prolonged difficulties related to explaining and invalidating fraudulent liabilities. Given the wide potential for misuse, the controller considered that the incident created a high risk to the rights and freedoms of natural persons.

Example 7.1.5
A system error in a hospital resulted in the incorrect updating of patients’ medical data, including information on allergies and medications taken. The errors remained undetected for a prolonged period, posing a serious threat to patients’ health and life. In the event of subsequent hospitalisation or an emergency procedure, patients could receive incorrect medicines or undergo inappropriate medical procedures, which could lead to serious allergic reactions, dangerous drug interactions or even fatal complications. In such a situation, the breach of integrity may result in direct harm to health and a significant reduction in patient safety, given that patients trust that medical records reflect their actual health status. Due to the serious threat to health, the controller considered that the incident created a high risk to the rights and freedoms of natural persons.

Example 7.1.6
A failure of the database of persons with disabilities using specialised public transport resulted in the service being unavailable for several days. Users were unable to book rides either by phone or in person, which was particularly burdensome for persons dependent on this form of transport. The breach of availability meant that many people lost the ability to get to work or access other essential services, significantly affecting their daily functioning. Given the particular dependence of the persons concerned on this service, the controller considered that the incident created a high risk to the rights and freedoms of natural persons.

7.2. Who is a “trusted recipient”?

When assessing the risk related to breaches of confidentiality of personal data, it may be relevant to whom the personal data was disclosed.

Recipients to whom personal data has been disclosed by mistake may remain unidentified or—despite attempts to contact them—may be unknown to the controller. Moreover, even the existence of a relationship with such a recipient may not be sufficient to justify a lower assessment of the risk of adverse consequences.

A “trusted recipient” is an entity that has received personal data accidentally but, due to the existing positive cooperation with the controller, may be regarded as trustworthy. There is sufficient assurance that the recipient will respond appropriately and will contribute to mitigating the risk to the rights and freedoms of the data subjects.

In order to determine that an unauthorised recipient is a “trusted recipient”, controllers must at least:
➢ maintain ongoing relations with the recipient (e.g. close business cooperation or within a common organisational structure);
➢ know relevant details about the recipient (e.g. security procedures and a track record of positive cooperation in similar situations).

Example 7.3.1
A trusted recipient may include, for example:
➢ another department within the controller’s organisation;
➢ a verified, long-standing supplier of the controller;
➢ a professional processor closely cooperating with the controller.

The concept of a “trusted recipient” allows controllers to assess more accurately the risk of consequences for data subjects following an incident. An existing relationship may mitigate that assessment, but it does not affect the classification of the event as a personal data breach.

It should be borne in mind that each case requires an individual assessment and no entity can be considered a “trusted recipient” in advance.

Note:
Treating an unauthorised recipient as a “trusted recipient” is always done as part of the risk assessment relating to a specific breach of confidentiality of personal data. Accordingly, the “trusted recipient” status should be monitored, which in justified cases may mean that the risk assessment needs to be revised.

Note:
Controllers must be ready to demonstrate that they have appropriately applied the “trusted recipient” concept in the risk assessment related to a personal data breach.

Retour au sommaire

Others

Official website with a form to report a personal data breach: https://www.biznes.gov.pl/pl/portal/ou889

Retour au sommaire
arrow_back Previous Article Article 33 Next Article arrow_forward
Retour au sommaire
arrow_back Previous Article Article 33 Next Article arrow_forward
Regulation
1e 2e

Art. 33

1.   In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

2.   The processor shall notify the controller without undue delay after becoming aware of a personal data breach.

3.   The notification referred to in paragraph 1 shall at least:

a) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;

c) describe the likely consequences of the personal data breach;

d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

4.   Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

5.   The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.

 

 
1st proposal close

Art. 31

1.           In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 24 hours after having become aware of it, notify the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours.

2.           Pursuant to point (f) of Article 26(2), the processor shall alert and inform the controller immediately after the establishment of a personal data breach.

3.           The notification referred to in paragraph 1 must at least:

(a)     describe the nature of the personal data breach including the categories and number of data subjects concerned and the categories and number of data records concerned;

(b)     communicate the identity and contact details of the data protection officer or other contact point where more information can be obtained;

(c)     recommend measures to mitigate the possible adverse effects of the personal data breach;

(d)     describe the consequences of the personal data breach;

(e)     describe the measures proposed or taken by the controller to address the personal data breach.

4.           The controller shall document any personal data breaches, comprising the facts surrounding the breach, its effects and the remedial action taken. This documentation must enable the supervisory authority to verify compliance with this Article. The documentation shall only include the information necessary for that purpose.

5.           The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for establishing the data breach referred to in paragraphs 1 and 2 and for the particular circumstances in which a controller and a processor is required to notify the personal data breach.

6.           The Commission may lay down the standard format of such notification to the supervisory authority, the procedures applicable to the notification requirement and the form and the modalities for the documentation referred to in paragraph 4, including the time limits for erasure of the information contained therein. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
2nd proposal close

Art. 31

1. In the case of a personal data breach which is likely to result in a high risk for the rights and freedoms of individuals, such as discrimination, identity theft or fraud, financial loss, unauthorized reversal of

pseudonymisation, damage to the reputation, loss of confidentiality of data protected by professional secrecy or any other significant economic or social disadvantage, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the  personal data breach to the supervisory authority competent in accordance with Article 51. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 72 hours.

1a. The notification referred to in paragraph 1 shall not be required if a communication to the data subject is not required under Article 32(3)(a) and (b).

2. (...) The processor shall notify the controller without undue delay after becoming aware of a personal data breach.

3. The notification referred to in paragraph 1 must at least:

(a)describe the nature of the personal data breach including, where possible and appropriate, the approximate categories and number of data subjects concerned and the categories and approximate number of data records concerned;

(b) communicate the identity and contact details of the data protection officer or other contact point where more information can be obtained;

c)  (...)

(d) describe the likely consequences of the personal data breach identified by the controller;

(e) describe the measures taken or proposed to be taken by the controller to   address the personal data breach; and

(f) where appropriate, indicate measures to mitigate the possible adverse  effects of the personal data breach.

3a. Where, and in so far as, it is not possible to provide the information referred to in paragraph 3 (d), (e) and (f) at the same time as the information referred to in points (a) and (b) of paragraph 3, the controller shall provide this information without undue further delay.

4. The controller shall document any personal data breaches referred to in paragraphs 1 and 2, comprising the facts surrounding the breach, its effects and the remedial action taken. This documentation must enable the supervisory authority to verify compliance with this Article. (...).

5. (...)

6. (....)

 
Directive close

COMMISSION REGULATION (EU) No 611/2013 of 24 June 2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications

Art. 2

1.   The provider shall notify all personal data breaches to the competent national authority.

2.   The provider shall notify the personal data breach to the competent national authority no later than 24 hours after the detection of the personal data breach, where feasible.

The provider shall include in its notification to the competent national authority the information set out in Annex I.

Detection of a personal data breach shall be deemed to have taken place when the provider has acquired sufficient awareness that a security incident has occurred that led to personal data being compromised, in order to make a meaningful notification as required under this Regulation.

3.   Where all the information set out in Annex I is not available and further investigation of the personal data breach is required, the provider shall be permitted to make an initial notification to the competent national authority no later than 24 hours after the detection of the personal data breach. This initial notification to the competent national authority shall include the information set out in Section 1 of Annex I. The provider shall make a second notification to the competent national authority as soon as possible, and at the latest within three days following the initial notification. This second notification shall include the information set out in Section 2 of Annex I and, where necessary, update the information already provided.

Where the provider, despite its investigations, is unable to provide all information within the three-day period from the initial notification, the provider shall notify as much information as it disposes within that timeframe and shall submit to the competent national authority a reasoned justification for the late notification of the remaining information. The provider shall notify the remaining information to the competent national authority and, where necessary, update the information already provided, as soon as possible.

4.   The competent national authority shall provide to all providers established in the Member State concerned a secure electronic means for notification of personal data breaches and information on the procedures for its access and use. Where necessary, the Commission shall convene meetings with competent national authorities to facilitate the application of this provision.

5.   Where the personal data breach affects subscribers or individuals from Member States other than that of the competent national authority to which the personal data breach has been notified, the competent national authority shall inform the other national authorities concerned.

To facilitate the application of this provision, the Commission shall create and maintain a list of the competent national authorities and the appropriate contact points.
Poland
compare_arrows
visibility Old law

Starting from May 25, 2018 GDPR came into force and is fully applicable in Poland. 

The Act on Protection of Personal Data of 29th August 1997 [unified text: Journal of Laws 2015, item 2135, 2281] is not in force since May 25, 2018. It was replaced by new regulation - The Act on Personal Data Protection of 10th May 2018, which implements GDPR in Poland. 

The Act on Personal Data Protection of 10th May 2018:

Article 55 [Operation of an ICT system for the purpose of notification of personal data breaches]
The President of the Office may operate an ICT system enabling controllers to notify a personal data breach referred to in Article 33 of Regulation (EU) 2016/679.

Chapter 7. Proceedings in cases of infringement of provisions on the protection of personal data

Article 60 [Body conducting proceedings in cases of infringement of provisions]
Proceedings concerning an infringement of provisions on the protection of personal data, hereinafter “proceedings”, shall be conducted by the President of the Office.

Article 61 [Participation of a social organisation]
A social organisation referred to in Article 31 § 1 of the Act of 14 June 1960 — the Code of Administrative Procedure may also participate in the proceedings, with the consent of the data subject, in his/her name and on his/her behalf.

Article 62 [Proceedings in the event of delay in handling a case]
In the case referred to in Article 36 of the Act of 14 June 1960 — the Code of Administrative Procedure, when notifying the parties that the case has not been dealt with within the time limit, the President of the Office shall also be obliged to inform them of the state of the case and of the activities carried out in the course of the proceedings.

Article 63 [Translation of documentation]
The President of the Office may request a party to provide a Polish translation of documentation submitted by that party which has been drawn up in a foreign language. The party shall be obliged to provide the translation at its own expense.

Article 64 [Right of access to information covered by legally protected secrecy]
For the purpose of carrying out his/her tasks, the President of the Office shall have the right of access to information covered by legally protected secrecy, unless specific provisions provide otherwise.

Article 65 [Right to designate confidential information]

1. A party may designate as confidential any information, documents or parts thereof containing a trade secret submitted to the President of the Office. In such a case, the party shall also be obliged to provide the President of the Office with a version of the document not containing the information designated as confidential.

2. Where a version of the document not containing the information designated as confidential is not provided, the designation shall be deemed ineffective.

3. The President of the Office may lift the designation, by way of a decision, if he/she considers that the information, documents or parts thereof do not meet the conditions for being covered by a trade secret.

4. Where there is a statutory obligation to transmit information or documents received from undertakings to other national or foreign authorities or institutions, such information and documents shall be transmitted together with the designation and subject to compliance therewith.

Article 66 [Order refusing a party access to the case file, and the taking of notes, copies and extracts]

The President of the Office shall issue the order referred to in Article 74 § 2 of the Act of 14 June 1960 — the Code of Administrative Procedure also where the disclosure of information and documents referred to in Article 65(1) risks the disclosure of legally protected secrets or a trade secret, where a restriction of access to the file is requested by the undertaking from which the information originates.

Article 67 [Notification of the parties by public notice]

Where the number of parties to the proceedings exceeds 20, the President of the Office may apply Article 49 of the Act of 14 June 1960 — the Code of Administrative Procedure.

Article 68 [Need to supplement evidence; inspection procedure]

1. Where, in the course of the proceedings, it becomes necessary to supplement the evidence, the President of the Office may carry out an inspection procedure.

2. The period of the inspection procedure shall not be included in the time limits referred to in Article 35 of the Act of 14 June 1960 — the Code of Administrative Procedure.

Article 69 [Fine for unjustified failure to appear]

1. In the case referred to in Article 88 of the Act of 14 June 1960 — the Code of Administrative Procedure, the President of the Office shall impose a fine of between PLN 500 and PLN 5,000.When imposing the fine, the President of the Office shall take into account:

  1. in the case of a natural person — the personal situation of the person summoned and the degree to which he/she understands the seriousness of the obligations arising from the summons; or
  2. the need to adjust the amount of the fine to the objective of compelling the person summoned to comply with the summons.

2. The fine referred to in paragraph 1 may also be imposed where the party refused to provide a Polish translation of documentation drawn up in a foreign language.

Article 70 [Order restricting the scope of data processing]

1. Where, in the course of the proceedings, it is made plausible that the processing of personal data infringes the provisions on the protection of personal data and further processing may cause serious and difficult-to-remedy effects, the President of the Office may, in order to prevent such effects, by way of an order, require the entity accused of infringing provisions on the protection of personal data to restrict the processing of personal data, indicating the permissible scope of such processing.

2. In the order referred to in paragraph 1, the President of the Office shall specify the duration of the restriction on the processing of personal data, which may not extend beyond the date of issuance of the decision ending the proceedings.

3. A complaint may be lodged with the administrative court against the order referred to in paragraph 1.

Article 71 [Application to request a preliminary ruling under Article 267 TFEU]

1. Where, in the course of the proceedings, the President of the Office considers that there are reasonable doubts as to the validity under EU law of a decision of the European Commission referred to in Article 40(9) concerning a code of conduct referred to in Article 46(2)(e), and of a decision referred to in Article 45(3) and (5) and Article 46(2)(c) of Regulation (EU) 2016/679, the President of the Office shall apply to the administrative court to request a preliminary ruling under Article 267 of the Treaty on the Functioning of the European Union on the validity of the relevant decision of the European Commission.

2. The application referred to in paragraph 1 shall, in addition to complying with the requirements for a complaint referred to in Article 64 § 2 of the Act of 30 August 2002 — Law on Proceedings before Administrative Courts (Journal of Laws of 2018, item 1302, as amended), include in particular:

    1. an indication of the European Commission decision to which the application relates;

    2. an explanation of the reasons why the President of the Office has doubts as to the validity of the European                        Commission decision and its incompatibility with the law;

    3. the wording of the question or questions to be referred by the administrative court to the Court of Justice of the                  European Union, including:

      a) the subject-matter of the dispute and the findings as to the factual circumstances, including the position of a party             raised in the proceedings before the authority, if submitted by that party,

      b) an indication of the provisions of law applicable to the case,

      c) the proposed wording of the question or questions to be referred by the administrative court to the Court of Justice            of the European Union;

    4. a statement confirming that the content of the annex referred to in paragraph 3 is consistent with the application                submitted in paper form.

3. An annex containing the content of the application in the form of an electronic document saved on a data storage medium in a format allowing its content to be edited shall be attached to the application referred to in paragraph 1.

4. The President of the Office shall be the party to the proceedings before the administrative court in respect of the application referred to in paragraph 1.

5. The administrative court shall examine the application referred to in paragraph 1 in closed session, in a panel of three judges.

6. Where the administrative court considers the application referred to in paragraph 1 to be well founded, it shall refer a question for a preliminary ruling to the Court of Justice of the European Union under Article 267 TFEU.

7. Where the administrative court considers that the application referred to in paragraph 1 does not contain sufficient reasons to refer a question for a preliminary ruling to the Court of Justice of the European Union, it shall issue an order refusing to make such a reference.

8. No appeal shall lie against the order referred to in paragraph 7.

9. The administrative court shall draw up the reasons for the order referred to in paragraph 7 within 21 days.

10. No court fee shall be charged for the application referred to in paragraph 1.

Article 72 [Statement of reasons for the imposition of an administrative fine]
In the statement of reasons for the decision ending the proceedings, the conditions set out in Article 83(2) of Regulation (EU) 2016/679 on which the President of the Office relied when imposing an administrative fine and determining its amount shall also be indicated.

Article 73 [Obligation to make available without delay a decision finding an infringement]

1. Where the President of the Office considers that the public interest so requires, after the proceedings have ended he/she shall inform of the issuance of the decision on his/her official website in the Public Information Bulletin.

2. Public finance sector units, research institutes and the National Bank of Poland in respect of which the President of the Office has issued a final decision finding an infringement shall, without delay, make public on their website or official website in the Public Information Bulletin information on the measures taken to implement the decision.

Article 74 [Effects of lodging a complaint with the administrative court]
The lodging by a party of a complaint with the administrative court shall suspend enforcement of the decision insofar as the administrative fine is concerned.
Old law close

No (special) provision under Polish law.
arrow_back Previous ArticleArticle 33 Next Article arrow_forward
close

2016 - www.itiplaw.eu.