Data Protection in Poland

Breach notification in Poland

EU regulation

The GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority, and for more serious breaches to also be notified to the affected data subjects. A personal data breach is a wide concept, defined as any "breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed" (Article 4).

The controller must notify a breach to the supervisory authority without undue delay, and where feasible, not later than 72 hours after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the personal data breach is likely to result in a high risk to natural persons, the controller is also required to notify the affected data subjects without undue delay (Article 34).

Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming aware of the breach (Article 33(2)).

The notification to the supervisory authority must include, where possible, the categories and approximate numbers of individuals and records concerned, the name of the organisation’s data protection officer or other contact, the likely consequences of the breach, and the measures taken to mitigate any harm (Article 33(3)).

Controllers are also required to keep records of all data breaches (Article 33(5)) (irrespective of whether they are notified to the supervisory authority) and permit audits of the records by the supervisory authority.


Poland regulation

In Poland, the breach notification obligations under the Telecommunications Act were replaced by the breach notification obligations under the terms specified in Commission Regulation (EU) No. 611/2013 of 24 June 2013 regarding measures applicable to the notification of personal data breaches under Directive 2002/58/ EC of the European Parliament and of the Council on privacy and electronic communications (Regulation 611/2013).

A personal data breach should be reported by the provider of telecommunications services to the Polish DPA immediately, and no later than 24 hours after the detection of the personal data breach. This deadline results from Article 2 section (2) of Regulation 611/2013. Because this period is shorter than the period indicated in the GDPR, telecommunications undertakings will have to make every effort to send the information required by law within 24, not 72, hours. Therefore, the personal data breach should be notified electronically by filling out the appropriate form.

If a data breach could have a negative impact on the rights of a subscriber or end user (i.e. a natural person), the service provider should also - immediately (i.e. without undue delay) - inform the subscriber or end user about the breach (in addition to informing the Polish DPA) in accordance with Regulation 611/2013.

Under the new Electronic Communications bill, the breach notification obligations continue to be superseded by the breach notification obligations under Commission Regulation (EU) No. 611/2013, so relevant provisions remain unchanged.

Continue reading

  • no results

Previous topic
Back to top