The steps to be taken (in particular, whether notification to the supervisory authority is required) will depend on the level of risk of violation of the rights and freedoms of data subjects;
It is therefore crucial to carry out and document an assessment of the risk of a breach - in practice, PUODO often verifies how this is carried out;
When notification to the supervisory authority is required under the GDPR, there is an official notification form published on the PUODO website that should be used.
What is a data breach?
“Personal data breach” means “a breach of security resulting in the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of or unauthorised access to personal data transmitted, stored or otherwise processed”.
The term covers a very long list of different events of varying nature, cause and effect. A breach can range from a cyber-attack by a hacker to data being mistakenly sent to the wrong recipient by a controller’s employee, to the theft or loss of a data carrier in the form of documents or a portable drive.
What should a data controller do in the event of a data breach?
The action required from the controller will depend on the level of risk associated with the breach.
If the breach is more than unlikely to result in a high-risk infringement of the rights and freedoms of individuals, the controller must notify the breach to the supervisory authority. The controller must also keep an internal record of the fact that a breach has occurred and of the remedial and corrective measures taken.
If the breach is likely to result in a high-risk infringement of the rights or freedoms of individuals, the controller must notify the breach to the supervisory authority and to the individuals affected. The controller must also keep an internal record of the fact that a breach has occurred and of the remedial and corrective measures taken.
If the breach is unlikely to result in a risk of infringement of the rights and freedoms of individuals, the controller does not need to notify the supervisory authority or the data subjects. However, the controller must keep an internal record of the fact that a breach has occurred and of the remedial and corrective measures taken.
How to assess the risk of a breach?
The GDPR does not explicitly state how - or by what methodology - the controller should analyse the risk of a breach.
It is undoubtedly necessary that the conducted risk analyses, regardless of the methodology used, are properly documented and that the conclusions and actions taken are justified. Documentation of analyses and actions is necessary for accountability reasons alone, but can also be very helpful in the event of questions from the supervisory authority or a possible audit. In practice, when a breach is reported, the supervisory authority often actually verifies whether and how the controller has carried out an analysis of the risks to data subjects associated with the breach.
The breach risk analysis should be conducted from the perspective of the risks to the data subject associated with the breach (rather than the risks to the controller, e.g. financial, business or reputational).
When assessing the risks of a breach, the Breach Guidelines developed by the European Data Protection Board may be helpful (Guidelines 9/2022 on personal data breach notifications under the GDPR, version 2.0, adopted 28 March 2023). An example of a methodology that may be helpful in assessing the risks associated with a breach is the methodology contained in the study entitled Recommendations for a methodology of the assessment of the severity of personal data breaches prepared by the European Union Cyber Security Agency, which is recommended in the Breach Guidelines. This methodology uses a relatively accessible way of estimating the severity of the breach (essentially using the formula: severity of the breach = context of processing x ease of identification + circumstances of the breach).
However, the assessment of a breach is never simply a matter of calculation. According to the Breach Guidelines, a controller assessing a breach should first and foremost consider the circumstances of the breach, including the severity of the potential negative effects and the risk of their actual occurrence. The Breach Guidelines also identify the following criteria that a controller should consider when assessing a breach:
Nature of the breach - Generally, the type and nature of the breach may affect the level of risk. For example, the Guidelines indicate that a breach of confidentiality involving the disclosure of medical information to unauthorised individuals poses a different level of risk to data subjects than a breach involving the loss of an individual's medical information.
The type, sensitivity and volume of data affected by the breach - the Guidelines indicate that:
In general, the more ‘sensitive’ the data affected by a breach, the higher the risk associated with such a breach, with the understanding that the assessment should take into account not only the data affected by the breach, but also the publicly available data about the data subject, and the effect that may occur when such data is combined;
It should be assessed whether the record data set affected by the breach could be used for identity theft;
An assessment should also be made as to whether the disclosure of data that is not sensitive in itself may nevertheless be risky for the data subject in a particular context – for example, information about a cancellation of regularly scheduled home deliveries by a regular customer may indicate his or her absence from home, which in turn may be valuable information for criminals;
The disclosure of even a small amount of highly sensitive data may justify the high risk associated with a particular incident.
Ease of identifying the data subject fromcompromisedor lost data - The Breach Guidelines note that the easier it is to identify the data subject from the compromised data, the higher the inherent risk of the breach. For this reason, the Breach Guidelines emphasise the importance of data protection measures, such as data encryption or pseudonymisation, which make it more difficult to identify the data subject and the implementation of which in relation to disclosed or lost data will generally reduce the level of risk associated with the breach.
The severity of the potential consequences for the data subject associated with the breach - the Guidelines indicate that higher risks are associated with breaches involving data (such as the special category data referred to in GDPR Article 9) the disclosure of which may have particularly harsh consequences for the data subject, such as fraud, identity theft, physical harm, nervous breakdown, humiliation or damage to reputation. In this regard, the controller should also take into account whether the personal data involved in the breach was disclosed to “trusted” persons (which may reduce the risk of adverse consequences for the data subject) or to persons whose intentions are unknown or who may be dishonest (which will generally increase the risk of potential adverse consequences).
Specific characteristics of the data subject affected by a data processing breach - The Guidelines note that sometimes the characteristics of the person whose data has been disclosed or lost in connection with the incident will be a factor that increases the risk associated with the breach (e.g., if the breach involves the data of a child).
Specific characteristics of the data controller affected by adata processingbreach - The Guidelines state that the characteristics of the data controller, his or her function and the activities he or she carries out may also influence the assessment of the level of risk posed by a breach to data subjects. For example, a healthcare provider will process health data, the disclosure of which poses a higher risk than the disclosure of a magazine mailing list.
The number of individuals affected by the breach – The Guidelines state that the greater the number of individuals affected, the greater the impact of the breach may typically be (this does not preclude high risks associated with a breach affecting only one individual).
Remedies
In the event of a breach, the controller should implement measures to remedy the breach - including, where appropriate, measures to minimise its possible adverse effects and to reduce the risk of similar breaches in the future. These measures should be tailored to the nature of the breach, in particular its causes and effects. They may include a wide range of measures, such as:
Additional training for staff
Implementing or updating internal procedures
Implementing new or updating existing data processing or cyber security solutions
Addressing internal vulnerabilities
Internal audit
Change of processor or change in the terms of cooperation with the processor
Employee disciplinary action
Funding of the account in the credit monitoring system for the data subject
It is important to note that the supervisory authority will often verify that the data controller has implemented the remedial measures he or she has declared in the breach notification. It is therefore important to remember to implement the measures in the manner stated in the notification and, where possible, to document their implementation.
How to notify a breach to PUODO?
PUODO has developed a template form for data controllers wishing to notify breaches (downloadable from the PUODO website).
Notifications can be submitted electronically or by post. Detailed information on how to submit a notification can be found on the PUODO website.
What information should the included in the notification?
The notification should contain all the information required in the PUODO breach notification form. In particular, this form contains the information required under GDPR Article 33(3). However, the scope of the information required in the form is slightly broader than what is explicitly stated in the GDPR, and additionally includes, inter alia, a description of the data protection measures that were placed by the controller prior to the occurrence of the breach.
It is important that the description of the nature of the breach is sufficiently detailed and clear to enable the supervisory authority to assess the entire incident and take effective action. This means that the entire incident should be described as precisely as possible, i.e. contain a description of what happened (e.g. laptop theft / loss of documents), the categories of data affected (e.g. name, surname, PESEL number, ultrasound results, account login and password), the time and place of the incident (date, time, place) and the involvement of other entities in the breach (e.g. processor, postal operator, law firm, accountant, etc.).
How soon must the breach be notified to the supervisory authority?
The breach must be notified to the supervisory authority without undue delay and, where possible, no later than 72 hours after the breach is discovered.
The time limit for notifying a breach is calculated from the moment the breach is identified by the controller. In practice, it can sometimes be difficult to determine this point in time, as the GDPR does not provide clear guidance on when a “breach has been identified”. In this respect, the Breach Guidelines may be helpful. According to the Breach Guidelines, it may be argued that a controller determines the occurrence of a breach at the point when it becomes reasonably certain that a security incident has occurred that has resulted in the disclosure or loss of data. It may therefore be the case that the time limit for notifying a breach does not start to run from the moment the controller (e.g. an employee of the controller) first becomes aware of the incident or suspected incident. This is because such information may be uncertain and require further verification. In such situations, it cannot be assumed that the controller already had sufficient certainty that an incident has occurred at the time he or she received the information.
Importantly, the Breach Guidelines also state that the controller should have appropriate organisational and technical measures in place (including appropriate IT procedures or solutions) to detect breaches as soon as possible and to obtain certainty as to whether and to what extent breaches have occurred, in order to be able to take the appropriate measures required under the GDPR.
Where it is not possible to provide all the information at the same time (in particular, within 72 hours of the identification of a breach), it may be provided on a staggered basis without undue delay. This means that there is a possibility (as well as a corresponding option in the PUODO notification form) to submit a so-called preliminary notification (in particular, in order to comply with the notification deadline). Such a notification will contain the information available to the data controller at the time of the initial notification (even if it is far from complete), which the data controller will then supplement in subsequent notifications as new information becomes available, such as information on the scope and impact of the cyber attack.
What should a data processor do once a breach has been identified?
Where a data breach has occurred at the processor and concerns personal data that the processor processes on behalf of another controller, the processor should immediately notify the controller affected by the breach (and not the supervisory authority - this is already the controller's role).
The processor should also take any other actions required of him or her in such a situation, in accordance with GDPR Article 28 and the entrustment agreement he or she has with the controller affected by the breach (in practice, these agreements often include a deadline for the processor to notify the controller of an actual or suspected breach).
What should a joint controller do once a breach has been identified?
The GDPR does not clearly indicate who should notify a breach involving personal data subject to joint control under GDPR Article 26. It seems that - in order to avoid disputes in this regard and to ensure a smooth handling in the event of such a breach - the question of who is responsible for making notifications and taking other actions related to the occurrence of a breach should be addressed by the joint controllers themselves in the joint control agreement.
Internal register of data breaches
In view of the obligation to keep an internal record of the occurrence of a breach and the remedial and corrective measures taken in relation thereto, the controller is required to maintain an internal breach register in which he or she will record in a structured and standardised manner the occurrence of breaches, the risk analyses carried out in relation to the breach, the consequences of the breach and the remedial measures taken in relation to the breach. Keeping such a register will not only be a means of implementing the obligation under GDPR Article 34(5), but also an expression of the controller's compliance with the principle of accountability.
Commentary to art. 33
Breaches of personal data protection
What is a data breach?
“Personal data breach” means “a breach of security resulting in the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of or unauthorised access to personal data transmitted, stored or otherwise processed”.
The term covers a very long list of different events of varying nature, cause and effect. A breach can range from a cyber-attack by a hacker to data being mistakenly sent to the wrong recipient by a controller’s employee, to the theft or loss of a data carrier in the form of documents or a portable drive.
What should a data controller do in the event of a data breach?
The action required from the controller will depend on the level of risk associated with the breach.
If the breach is more than unlikely to result in a high-risk infringement of the rights and freedoms of individuals, the controller must notify the breach to the supervisory authority. The controller must also keep an internal record of the fact that a breach has occurred and of the remedial and corrective measures taken.
If the breach is likely to result in a high-risk infringement of the rights or freedoms of individuals, the controller must notify the breach to the supervisory authority and to the individuals affected. The controller must also keep an internal record of the fact that a breach has occurred and of the remedial and corrective measures taken.
If the breach is unlikely to result in a risk of infringement of the rights and freedoms of individuals, the controller does not need to notify the supervisory authority or the data subjects. However, the controller must keep an internal record of the fact that a breach has occurred and of the remedial and corrective measures taken.
How to assess the risk of a breach?
The GDPR does not explicitly state how - or by what methodology - the controller should analyse the risk of a breach.
It is undoubtedly necessary that the conducted risk analyses, regardless of the methodology used, are properly documented and that the conclusions and actions taken are justified. Documentation of analyses and actions is necessary for accountability reasons alone, but can also be very helpful in the event of questions from the supervisory authority or a possible audit. In practice, when a breach is reported, the supervisory authority often actually verifies whether and how the controller has carried out an analysis of the risks to data subjects associated with the breach.
The breach risk analysis should be conducted from the perspective of the risks to the data subject associated with the breach (rather than the risks to the controller, e.g. financial, business or reputational).
When assessing the risks of a breach, the Breach Guidelines developed by the European Data Protection Board may be helpful (Guidelines 9/2022 on personal data breach notifications under the GDPR, version 2.0, adopted 28 March 2023). An example of a methodology that may be helpful in assessing the risks associated with a breach is the methodology contained in the study entitled Recommendations for a methodology of the assessment of the severity of personal data breaches prepared by the European Union Cyber Security Agency, which is recommended in the Breach Guidelines. This methodology uses a relatively accessible way of estimating the severity of the breach (essentially using the formula: severity of the breach = context of processing x ease of identification + circumstances of the breach).
However, the assessment of a breach is never simply a matter of calculation. According to the Breach Guidelines, a controller assessing a breach should first and foremost consider the circumstances of the breach, including the severity of the potential negative effects and the risk of their actual occurrence. The Breach Guidelines also identify the following criteria that a controller should consider when assessing a breach:
Remedies
In the event of a breach, the controller should implement measures to remedy the breach - including, where appropriate, measures to minimise its possible adverse effects and to reduce the risk of similar breaches in the future. These measures should be tailored to the nature of the breach, in particular its causes and effects. They may include a wide range of measures, such as:
It is important to note that the supervisory authority will often verify that the data controller has implemented the remedial measures he or she has declared in the breach notification. It is therefore important to remember to implement the measures in the manner stated in the notification and, where possible, to document their implementation.
How to notify a breach to PUODO?
PUODO has developed a template form for data controllers wishing to notify breaches (downloadable from the PUODO website).
Notifications can be submitted electronically or by post. Detailed information on how to submit a notification can be found on the PUODO website.
What information should the included in the notification?
The notification should contain all the information required in the PUODO breach notification form. In particular, this form contains the information required under GDPR Article 33(3). However, the scope of the information required in the form is slightly broader than what is explicitly stated in the GDPR, and additionally includes, inter alia, a description of the data protection measures that were placed by the controller prior to the occurrence of the breach.
In terms of the key information required under PUODO, its website states as follows:
How soon must the breach be notified to the supervisory authority?
The breach must be notified to the supervisory authority without undue delay and, where possible, no later than 72 hours after the breach is discovered.
The time limit for notifying a breach is calculated from the moment the breach is identified by the controller. In practice, it can sometimes be difficult to determine this point in time, as the GDPR does not provide clear guidance on when a “breach has been identified”. In this respect, the Breach Guidelines may be helpful. According to the Breach Guidelines, it may be argued that a controller determines the occurrence of a breach at the point when it becomes reasonably certain that a security incident has occurred that has resulted in the disclosure or loss of data. It may therefore be the case that the time limit for notifying a breach does not start to run from the moment the controller (e.g. an employee of the controller) first becomes aware of the incident or suspected incident. This is because such information may be uncertain and require further verification. In such situations, it cannot be assumed that the controller already had sufficient certainty that an incident has occurred at the time he or she received the information.
Importantly, the Breach Guidelines also state that the controller should have appropriate organisational and technical measures in place (including appropriate IT procedures or solutions) to detect breaches as soon as possible and to obtain certainty as to whether and to what extent breaches have occurred, in order to be able to take the appropriate measures required under the GDPR.
Where it is not possible to provide all the information at the same time (in particular, within 72 hours of the identification of a breach), it may be provided on a staggered basis without undue delay. This means that there is a possibility (as well as a corresponding option in the PUODO notification form) to submit a so-called preliminary notification (in particular, in order to comply with the notification deadline). Such a notification will contain the information available to the data controller at the time of the initial notification (even if it is far from complete), which the data controller will then supplement in subsequent notifications as new information becomes available, such as information on the scope and impact of the cyber attack.
What should a data processor do once a breach has been identified?
Where a data breach has occurred at the processor and concerns personal data that the processor processes on behalf of another controller, the processor should immediately notify the controller affected by the breach (and not the supervisory authority - this is already the controller's role).
The processor should also take any other actions required of him or her in such a situation, in accordance with GDPR Article 28 and the entrustment agreement he or she has with the controller affected by the breach (in practice, these agreements often include a deadline for the processor to notify the controller of an actual or suspected breach).
What should a joint controller do once a breach has been identified?
The GDPR does not clearly indicate who should notify a breach involving personal data subject to joint control under GDPR Article 26. It seems that - in order to avoid disputes in this regard and to ensure a smooth handling in the event of such a breach - the question of who is responsible for making notifications and taking other actions related to the occurrence of a breach should be addressed by the joint controllers themselves in the joint control agreement.
Internal register of data breaches
In view of the obligation to keep an internal record of the occurrence of a breach and the remedial and corrective measures taken in relation thereto, the controller is required to maintain an internal breach register in which he or she will record in a structured and standardised manner the occurrence of breaches, the risk analyses carried out in relation to the breach, the consequences of the breach and the remedial measures taken in relation to the breach. Keeping such a register will not only be a means of implementing the obligation under GDPR Article 34(5), but also an expression of the controller's compliance with the principle of accountability.