In accordance with Article 4(12) of the GDPR, a personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. The Office for Personal Data Protection (UODO) further states that a breach is the result of a breach of data security rules.
However, a distinction must be made between a breach of personal data protection regulations and a data breach.
A breach of personal data protection regulations is a breach of the provisions arising from the GDPR, other acts regulating personal data protection, laws, regulations and the Constitutions adopted in the Member States of the European Union.
A data breach, on the other hand, is a breach of personal data security as defined in Article 4(12) of the GDPR, which can be divided into three categories:
- breach of data confidentiality – where personal data has been unlawfully accessed or disclosed,
- breach of data integrity – in the event of unauthorised or accidental modification of data,
- breach of data availability – which occurs in the event of unauthorised or accidental access to data or its destruction
In most cases, human error is responsible for data security breaches, and these are usually unintentional, such as sending correspondence to the wrong person. The concept of a personal data processing breach may seem abstract, but it can lead to unpleasant consequences for the person whose data was processed. Examples include identity theft and taking out a loan or credit in that person’s name, or the ‘police officer’ or ‘granddaughter’ scams – which we have all heard of. A personal data breach would also include the disclosure of medical records to the wrong patient, the accidental deletion of data, a cyberattack, or the theft of laptops, as a result of which the data controller loses access to the data.
If a breach is identified that meets the definition of a breach, the personal data controller is obliged, in accordance with Article 33(1) of the GDPR, to notify the competent supervisory authority of the breach without undue delay – where possible, no later than 72 hours after the breach is identified (in Poland, this is the President of the Personal Data Protection Office), unless the breach is unlikely to result in a risk to the rights or freedoms of natural persons.
However, before the controller (and in practice often also the person responsible for implementing the GDPR within the organisation or the data protection officer, if appointed) reports the breach, they should conduct an investigation to determine, amongst other things, the nature of the breach, the categories and approximate number of data subjects concerned, and the possible consequences of the breach and their scale. It will also allow for verification of the need to modify the existing security measures in place within the organisation. The controller is obliged to document such a breach, taking into account its circumstances, consequences and the remedial measures taken, regardless of whether the breach is subject to a reporting obligation to the supervisory authority. Every identified data breach should also be recorded in the breach register, which every controller should implement in their operations.
A breach can be reported by completing the appropriate form and sending it electronically or by post to the UODO. Such a report should include at least:
- a description of the data breach, the categories and approximate number of individuals affected by the breach, if possible,
- the name and contact details of the data protection officer or details of another point of contact where further information can be obtained,
- a description of the possible consequences of the data breaches,
- a description of the measures taken or proposed by the controller to minimise the impact of the breach or to remedy it
If the personal data breach involves data subjects from different European Union countries, the controller should report such a breach to the lead supervisory authority.
For a personal data breach, an administrative fine may be imposed on the controller, depending on the type of entity and the nature of the breach. The supervisory authority may impose a financial penalty of up to €10 million or €20 million, or up to 2% or 4% of the entity’s total worldwide annual turnover in the preceding financial year, whichever is higher.
Frequently asked questions
What is the difference between a personal data breach and a regular violation of data protection regulations?
A personal data breach is a specific security incident, such as unauthorized access, loss or modification of personal data. On the other hand, a regulatory violation is a breach of the law itself, i.e., GDPR, acts or regulations, without the necessity of a physical leak or data loss occurring.
What are the main types of personal data breaches?
We distinguish three categories of breaches, namely breach of confidentiality, integrity and availability of data. A breach of confidentiality occurs with unauthorized disclosure of data, a breach of integrity with their unauthorized modification, and a breach of availability with their destruction or unauthorized access.
Within what timeframe must I report a data breach to the Personal Data Protection Office?
The data controller has the obligation to report a breach to the competent supervisory authority no later than within 72 hours of becoming aware of it. This obligation does not apply to situations where it is unlikely that the breach would result in a risk to the rights and freedoms of natural persons.
What should I do before reporting a breach to the office?
Before reporting, an explanatory procedure should be conducted to determine the nature of the incident, the number of persons affected by the breach and possible consequences. It is also important to document the circumstances, effects and remedial actions taken, as well as to enter the event in the breach register.
What information must I include in the breach notification to UODO?
The notification should contain a description of the breach, categories and approximate number of persons whose data is concerned, and contact details of the data protection officer or other contact point. It is also necessary to describe the possible consequences of the breach and the measures applied or proposed to minimize its effects.
What penalties do I face for personal data protection breaches?
The supervisory authority may impose an administrative fine, which depends on the type of entity and the nature of the breach. The amount of the fine may be up to 10 million euro or 20 million euro, or up to 2% or 4% of the total annual worldwide turnover of the entity, depending on which amount is higher.
Running a company with a matter to resolve?
That is where most conversations with a lawyer begin. A consultation is paid, PLN 600 net. You pay for a real opinion: whether you have a legal problem, what you can do about it and roughly what it costs. It ties you to nothing further, and you do not need to know the law, that part is on us.
- 1 Talk
You tell us what is going on, in your own words.
- 2 What next
We tell you your options and what it costs.
- 3 We act
You give the go-ahead and the matter is ours.
Specializes in corporate services for business entities and personal data protection. Assists the firm's clients in the preparation of all corporate documentation, including the registration of commercial companies and the further registration of changes, and provides ongoing and comprehensive advice on business. Provides advice in carrying out transformation processes of commercial companies, including transformations and mergers. Prepares and gives opinions on contracts, regulations and current documentation…
View profile →