There has been a personal data breach in your company - e.g. your employee has sent a customer database to an outside person? You have 72 hours to inform the Office of Personal Data Protection. Below you will find out how to do this.
How to handle a matter
What you should know and who can benefit from the service
What is a personal data breach
A personal data breach occurs when:
- concerns data transmitted, stored or processed by the data subject of the breach
- it results in the destruction, loss, alteration, unauthorised disclosure or unauthorised access to personal data
- is the result of a breach of data security rules
Examples of personal data breaches
An example could be a violation of:
- confidentiality - e.g. if your employee accidentally sends a customer database to a third party or an inappropriate department of the company.
- availability - e.g. when a pendrive with a customer database is lost
- integrity - e.g. when an employee changes the names of customers as a joke
Who can notify a personal data breach?
The notification of a personal data breach shall be made:
- by an administrator - an entrepreneur or a public entity processing personal data
- administrator's proxy
When it is not necessary to notify UODO about a personal data breach
If, after discovering a breach of personal data protection, you find that the risk of violation of the rights and freedoms of natural persons (e.g. occurrence of material or non-material damage) is low, you do not have to notify the President of UODO about it.
This will be the case when, e.g.
- your employee has lost a pen drive with personal data of customers, but was previously encrypted, and the finder does not know the password. Then there is no fear that the violation was a threat to the rights or freedoms of the data subjects.
- the employee mistakenly took from work a briefcase with unsecured personal data. After a while, however, he realized that a mistake had occurred and returned to work, returning the briefcase. In such a case, there is also no threat to the rights or freedoms of the data subjects.
Where you can handle the matter
Urząd Ochrony Danych Osobowych
What to do step by step
Conduct an analysis of whether a breach of personal data protection may lead to a risk of violation of personal rights and freedoms
If, after the analysis, you find that the risk of violation of personal rights and freedoms is unlikely, you do not have to notify the violation of personal data protection.
Immediately upon detection of a personal data breach.
Notify a personal data breach
Depending on the type, select the type of request in field 1.A:
- complete/ one-time - when you have a full picture of the violation and you have all the information about what happened in connection with the violation, where, when and to what extent.
- preliminary - when you do not yet have all the data concerning the violation, and you risk exceeding the 72-hour deadline for reporting the violation
- supplementary/amending - if you managed to obtain the missing information after filling in the initial application and want to submit it to the office or if the information provided in the complete/one-time application turned out to be incorrect and you want to update it.
You can submit a document as:
You can submit a document as:
Report the violation within 72 hours of detection.
The President of UODO will accept your notification
After sending your application you will receive a confirmation of submission.
How much will you pay
The service is free of charge
How long will you wait
Your case will be dealt with immediately.
It is good to know
If a breach of personal data protection may cause a high risk of violation of rights, after sending a report, inform the person(s) whose data has been violated. If more than one person is involved, it may be a public announcement - e.g. information on your website that, for example, passwords have been leaked.
Exceeding the 72-hour deadline
If you do not manage to collect all the necessary information to submit a full report within 72 hours, you can send it in parts. However, you must explain the reasons for the delay.
Once you have reported a personal data breach, you must put in place measures within the company to minimise the risk of further data breaches.