In accordance with Article 4(12) of the GDPR, a personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. The Office for Personal Data Protection (UODO) further states that a breach is the result of a breach of data security rules.
However, a distinction must be made between a breach of personal data protection regulations and a data breach.
A breach of personal data protection regulations is a breach of the provisions arising from the GDPR, other acts regulating personal data protection, laws, regulations and the Constitutions adopted in the Member States of the European Union.
A data breach, on the other hand, is a breach of personal data security as defined in Article 4(12) of the GDPR, which can be divided into three categories:
- breach of data confidentiality – where personal data has been unlawfully accessed or disclosed,
- breach of data integrity – in the event of unauthorised or accidental modification of data,
- breach of data availability – which occurs in the event of unauthorised or accidental access to data or its destruction
In most cases, human error is responsible for data security breaches, and these are usually unintentional, such as sending correspondence to the wrong person. The concept of a personal data processing breach may seem abstract, but it can lead to unpleasant consequences for the person whose data was processed. Examples include identity theft and taking out a loan or credit in that person’s name, or the ‘police officer’ or ‘granddaughter’ scams – which we have all heard of. A personal data breach would also include the disclosure of medical records to the wrong patient, the accidental deletion of data, a cyberattack, or the theft of laptops, as a result of which the data controller loses access to the data.
If a breach is identified that meets the definition of a breach, the personal data controller is obliged, in accordance with Article 33(1) of the GDPR, to notify the competent supervisory authority of the breach without undue delay – where possible, no later than 72 hours after the breach is identified (in Poland, this is the President of the Personal Data Protection Office), unless the breach is unlikely to result in a risk to the rights or freedoms of natural persons.
However, before the controller (and in practice often also the person responsible for implementing the GDPR within the organisation or the data protection officer, if appointed) reports the breach, they should conduct an investigation to determine, amongst other things, the nature of the breach, the categories and approximate number of data subjects concerned, and the possible consequences of the breach and their scale. It will also allow for verification of the need to modify the existing security measures in place within the organisation. The controller is obliged to document such a breach, taking into account its circumstances, consequences and the remedial measures taken, regardless of whether the breach is subject to a reporting obligation to the supervisory authority. Every identified data breach should also be recorded in the breach register, which every controller should implement in their operations.
A breach can be reported by completing the appropriate form and sending it electronically or by post to the UODO. Such a report should include at least:
- a description of the data breach, the categories and approximate number of individuals affected by the breach, if possible,
- the name and contact details of the data protection officer or details of another point of contact where further information can be obtained,
- a description of the possible consequences of the data breaches,
- a description of the measures taken or proposed by the controller to minimise the impact of the breach or to remedy it
If the personal data breach involves data subjects from different European Union countries, the controller should report such a breach to the lead supervisory authority.
For a personal data breach, an administrative fine may be imposed on the controller, depending on the type of entity and the nature of the breach. The supervisory authority may impose a financial penalty of up to €10 million or €20 million, or up to 2% or 4% of the entity’s total worldwide annual turnover in the preceding financial year, whichever is higher.
Specializes in corporate services for business entities and personal data protection. Assists the firm's clients in the preparation of all corporate documentation, including the registration of commercial companies and the further registration of changes, and provides ongoing and comprehensive advice on business. Provides advice in carrying out transformation processes of commercial companies, including transformations and mergers. Prepares and gives opinions on contracts, regulations and current documentation…
View profile →HWW lawyers offer consultations in Warsaw and online.
Do not miss the next analysis
Key legal changes and their business impact, once a month to your inbox.
By subscribing you accept the privacy policy. Unsubscribe with one click.
