Month: March 2025

In today’s digital world, data protection is becoming an increasingly important topic. Every organisation that processes personal data must be prepared for potential data breaches and know how to proceed in such a situation. In this article, we will discuss the most important issues related to personal data breaches in the light of the GDPR based on the publication of the UODO (Polish Data Protection Authority) entitled ‘Guide under the GDPR – obligations of administrators related to personal data breaches v2’.

What is a data breach?

A data breach is a security incident that leads to accidental or unlawful:

• data destruction
• data loss
• data modification
• unauthorised disclosure of data
• unauthorised access to data

A breach can be both a deliberate action (e.g. a cyber attack) and an accidental event (e.g. losing a data carrier). The key point is that the breach concerns personal data being processed and can have a negative impact on the rights and freedoms of the data subjects.

Why are breaches dangerous?

Data breaches can have serious consequences for data subjects, such as:

• physical injury
• property damage (e.g. identity theft, financial fraud)
• non-pecuniary damage (e.g. damage to reputation, mental stress)

Even seemingly insignificant incidents can have far-reaching consequences. It is therefore important that data controllers respond appropriately to any violations.

Who is responsible for data protection?

The main responsibility lies with the data controller, i.e. the entity that determines the purposes and means of processing personal data. It is the controller who must implement appropriate technical and organisational measures to ensure data security.

The following also play an important role:

• Processors – process data on behalf of the controller
• Data Protection Officers (DPO) – advise and monitor compliance with the GDPR

What are the responsibilities of the controller?

In the context of personal data breaches, the controller has the following responsibilities:

1. Preventing breaches by implementing appropriate safeguards
2. Detecting and identifying breaches
3. Responding to breaches:
4. Remediation of the breach and minimisation of its effects
5. Assessment of the risk associated with the breach
6. Reporting of the breach to the supervisory authority (if there is a risk)
7. Notification of the data subjects (in case of high risk)
8. Documentation of the breach

How can data breaches be prevented?

The key is to implement appropriate technical and organisational measures, such as:

• Data encryption and pseudonymisation
• Regular testing and evaluation of the effectiveness of security measures
• Employee training
• Incident response procedures
• Control of data access
• Data backups

The selection of measures should be based on an analysis of the risks associated with the processing.

How to detect violations?

Administrators should implement monitoring and incident detection systems, such as:

• Intrusion detection systems (IDS/IPS)
• Anti-virus software
• Analysis of system logs
• Procedures for reporting incidents by employees

It is also important to train staff to recognise potential violations.

What to do after a breach has been detected?

After a breach has been detected, the controller should:

1. Take immediate action to contain the breach and minimise its impact
2. Assess the risk to the rights and freedoms of data subjects
3. Report the breach to the supervisory authority within 72 hours if there is a risk (unless it can be demonstrated that the risk is unlikely to materialise)
4. Notify the data subjects if there is a high risk
5. Document the breach and the measures taken

Reporting breaches to the supervisory authority

The notification to the President of the Personal Data Protection Office should include:

• A description of the nature of the breach
• The categories and approximate number of data subjects
• The possible consequences of the breach
• The measures taken to remedy the breach
• The contact details of the Data Protection Officer or other contact point

The notification can be made electronically via a dedicated form or ePUAP.

Notification of data subjects

In the event of a high risk, the controller must notify the data subjects without undue delay. The notification should:

• Be written in simple and clear language
• Describe the nature of the breach
• Include the contact details of the DPO or other contact point
• Describe the possible consequences of the breach
• Describe the measures taken to remedy the breach
• Include recommendations for individuals to minimise potential negative effects

Notifications can be made directly (e.g. by email) or through a public announcement.

Documenting breaches

The controller must document all violations, regardless of whether they were reported. The documentation should include:

• The circumstances of the violation
• Its effects
• The remedial measures taken
• The reasoning behind the decision regarding the report/notification
• The documentation serves as proof of compliance with the GDPR and may be subject to inspection by the supervisory authority.

Cross-border personal data breaches

A cross-border data breach is an incident that involves the processing of personal data in more than one member state of the European Union. This can be because the controller or processor has organisational units in several EU countries, or when the breach affects data subjects in different member states.

In the case of cross-border data breaches, the incident reporting and management process becomes more complex. Controllers must cooperate with supervisory authorities in different countries and also take into account differences in local regulations and procedures. It is crucial to quickly determine which supervisory authority is the lead authority in a given case and to ensure effective communication between all parties involved. The cross-border nature of the breach can also affect the risk assessment and the way in which data subjects are notified, especially when it is necessary to take into account cultural and linguistic differences in different countries.

Summary

Responding appropriately to personal data breaches is crucial to protecting the rights of data subjects. This requires controllers to:

• Implement appropriate safeguards
• Prepare incident response procedures
• Act quickly in the event of a breach
• Communicate transparently with the supervisory authority and data subjects

Remember that the main purpose of these measures is to protect the rights and freedoms of individuals, not to avoid penalties. A responsible approach to data protection builds trust and minimises the negative effects of possible violations.

Want to know more?

Read the new guide from the UODO (the Polish Data Protection Authority):

https://uodo.gov.pl/pl/138/3561

What’s new in the guide?

The new version takes into account the latest interpretations of regulations, case law and practical tips that will help administrators make the right decisions in the event of a personal data breach. It includes, among others:

• updated procedures for responding to breaches (reporting to the President of the Personal Data Protection Office);
• practical examples and case studies;
• guidelines on cooperation with the President of the Personal Data Protection Office and other supervisory authorities;
• key recommendations on risk assessment and breach prevention.