Notification of a personal data breach

There has been a personal data breach in your company - e.g. your employee has sent a customer database to an outside person? You have 72 hours to inform the Office of Personal Data Protection. Below you will find out how to do this.

How to proceed

What you should know and who can use this service

What is a personal data breach

A personal data breach occurs when:

• concerns data transmitted, stored or processed by the data subject of the breach
• it results in the destruction, loss, alteration, unauthorised disclosure or unauthorised access to personal data
• is the result of a breach of data security rules

Examples of personal data breaches

An example could be a violation of:

• confidentiality - e.g. if your employee accidentally sends a customer database to a third party or an inappropriate department of the company.
• availability - e.g. when a pendrive with a customer database is lost
• integrity - e.g. when an employee changes the names of customers as a joke

Who can notify a personal data breach?

The notification of a personal data breach shall be made:

• by an administrator - an entrepreneur or a public entity processing personal data
• administrator's proxy

When it is not necessary to notify UODO about a personal data breach

If, after discovering a breach of personal data protection, you find that the risk of violation of the rights and freedoms of natural persons (e.g. occurrence of material or non-material damage) is low, you do not have to notify the President of UODO about it.

This will be the case when, e.g.

• your employee has lost a pen drive with personal data of customers, but was previously encrypted, and the finder does not know the password. Then there is no fear that the violation was a threat to the rights or freedoms of the data subjects.
• the employee mistakenly took from work a briefcase with unsecured personal data. After a while, however, he realized that a mistake had occurred and returned to work, returning the briefcase. In such a case, there is also no threat to the rights or freedoms of the data subjects.

Where you can complete this procedure

URZĄD OCHRONY DANYCH OSOBOWYCH ul. Stawki 2, 00-193 Warszawa

What to do step by step

1. Conduct an analysis of whether a breach of personal data protection may lead to a risk of violation of personal rights and freedoms

If, after the analysis, you find that the risk of violation of personal rights and freedoms is unlikely, you do not have to notify the violation of personal data protection.

Time limit

Immediately upon detection of a personal data breach.

2. Notify a personal data breach

Depending on the type, select the type of request in field 1.A:

• complete/ one-time - when you have a full picture of the violation and you have all the information about what happened in connection with the violation, where, when and to what extent.
• preliminary - when you do not yet have all the data concerning the violation, and you risk exceeding the 72-hour deadline for reporting the violation
• supplementary/amending - if you managed to obtain the missing information after filling in the initial application and want to submit it to the office or if the information provided in the complete/one-time application turned out to be incorrect and you want to update it.

Documents

Time limit

Report the violation within 72 hours of detection.

3. The President of UODO will accept your notification

After sending your application you will receive a confirmation of submission.

How much you will have to pay

The service is free of charge

How long you will have to wait

Good to know

If a breach of personal data protection may cause a high risk of violation of rights, after sending a report, inform the person(s) whose data has been violated. If more than one person is involved, it may be a public announcement - e.g. information on your website that, for example, passwords have been leaked.

Exceeding the 72-hour deadline

If you do not manage to collect all the necessary information to submit a full report within 72 hours, you can send it in parts. However, you must explain the reasons for the delay. 

Remedies

Once you have reported a personal data breach, you must put in place measures within the company to minimise the risk of further data breaches.