Communication of a personal data breach to the data subject:
Will be required if the controller identifies a high risk of violation of the rights or freedoms of natural persons;
When the breach relates to the PESEL social insurance number, then in the assessment of PUODO (Polish Office for the Protection of Personal Information), it may be assumed that there is indeed a high risk;
There is no official communication form; when preparing the communication, one needs to take into account GDPR Article 34 and the GDPR online handbook on breaches of personal data (“Controller’s Obligations with Relation to Breaches of Personal Data”).
When should a data breach be communicated to the data subject:
The data controller should communicate the breach to the person affected if the controller determines that the breach is likely to result in a high risk of violation of the rights or freedoms of natural persons. For more information on the risk assessment of a breach, see the Commentary to GDPR Article 33. At this point, from a practical point of view, it is only worth noting in addition the existing specific approach of the GDPR to breaches that concern the PESEL number. If the breach concerns the PESEL number, it can be assumed that, in the assessment of the GDPR, it will probably involve a high risk of infringement of the rights or freedoms of natural persons, which triggers the need to communicate the breach to data subjects affected by it.
If a controller reports a breach to PUODO and, at the same time, assesses that the breach does not need to be communicated to data subjects, it may be that the PUODO will challenge such assessment and order the controller to communicate the breach (usually after requesting the controller to produce a document confirming that a breach risk assessment has been carried out together with information on the assessment methodology used). In such a situation, one cannot rule out the risk of the authority concluding that the failure to communicate or the failure to perform the breach risk assessment properly constitutes a breach of the GDPR, which may expose the controller to administrative and legal liability.
When is a communication not necessary despite the high risk of a breach:
Under the GDPR, communication of a breach to data subjects is not required despite the fact that the breach may result in a high risk of violation of the rights or freedoms of natural persons in the following cases:
Where the controller has implemented appropriate technical and organisational protection measures and these measures have been applied to the personal data affected by the breach; in particular, this involves measures such as encryption - to prevent persons not authorised to access that personal data from reading it;
Where the controller has subsequently taken measures to eliminate the likelihood of a high risk of violation of the rights or freedoms of the data subject;
When it would require a disproportionate effort (in which case a public communication is issued or a similar means is used by which data subjects are informed of the breach in an equally effective manner).
If the controller opts out of communicating the breach to data subjects based on one of the aforementioned exemptions, it is advisable for him/her to adequately justify and document his/her decision, in particular for possible questions from a supervisory authority that may challenge the validity of the exemption. The assessment of whether an exemption applies in a given case should be made on a case-by-case basis.
As examples of situations where exemptions may apply, PUODO pointed out as follows in its Breach Guide:
With regard to the exemption as a result of the implementation of appropriate technical and organisational security measures:
Data is secured using state-of-the-art encryption or tokenisation.
With regard to exemption on the grounds of the application of measures eliminating the likelihood of a high risk of violation of the rights or freedoms of the data subject:
The controller immediately identified the individual who accessed the personal data and took action against that individual before he/she could use the data in any way. Nevertheless, due consideration must be given to the possible consequences of any breach of confidentiality, again taking into account the nature of the data in question;
The controller realised that the consignment containing personal data was dispatched to the wrong address and contacted the postal operator, who prevented it from being delivered to the addressee initially indicated.
With regard to exemption on the grounds of the disproportionate effort that communication would require:
The controller’s records were flooded and documents containing personal data were kept only in paper form. In such a case, the controller must issue a public notice or use a similar means by which individuals will be informed of the breach in an equally effective manner. If doing so would require a disproportionate amount of effort, it may also be agreed that information about the breach will be available on request, which may prove useful to individuals who may have been affected by the breach but who could not otherwise be contacted by the controller.
How should the communication be sent:
The GDPR does not specify in which form the communication should be sent to data subjects.
According to PUODO’s handbook on breaches:
The ultimate choice [of the form of communication - editor's note] will depend on the type of contact details of data subjects available to the controller. Given the importance of the communication, it should be in a form that allows the data subject to return to its contents at his/her will. When choosing the means of communication, it must be borne in mind that the notice must be delivered to the addressee as soon as possible. In this context, the disadvantage of a consignment sent by traditional means is the time required for its delivery to the data subject. In comparison, the main advantage of the electronic form of communication is its speed, which is desirable in view of the obligation to notify the data subject without undue delay (GDPR Article 34(1)). This form allows the addressee both to review the contents of the communication at his/her will and print it if necessary.
Breach notifications should be sent to data subjects using dedicated messages and not together with other information such as periodic messages, newsletters or standard messages. This is to help make the breach notification clear and transparent. Examples of transparent communication methods include direct messages (e.g. email, SMS, direct message), a visible banner or notice on a website, postal communications and a visible advertisement in the print media. A notice contained only in a press release or company blog should not be considered as an effective notification of the data subject. The EDPB recommends that controllers choose methods that maximise the chances of properly communicating information to data subjects. Depending on the circumstances, this may mean that the controller should use several methods of communication as opposed to using a single contact channel.
It is furthermore advisable that the language in which the communication will be drafted should be comprehensible to the data subject. This means that in certain situations, for example when the communication will be sent to foreigners, it may be necessary to draft the communication in other language(s) besides Polish. This also means that technical jargon must be avoided.
When should the notice be sent:
The controller should send a personal data breach notice to data subjects as soon as he/she becomes aware that the breach is likely to result in a high risk of interference with the rights or freedoms of natural persons. According to PUODO’s handbook on breaches, “as soon as” should mean “as soon as reasonably practicable”. More information on the “point in time when the breach is identified”, see the commentary to GDRP Article 33.
Notices to data subjects may be sent either before or after the breach is reported to the supervisory authority. If the notice is sent before the breach is reported to the authority, PUODO will expect to receive, together with the notification of the breach, a copy of the sent notice (along with information on the date when it was sent to data subjects and by what means). If the notice is sent after the breach is reported to PUODO, the latter will expect the controller to send it the notice as a follow-up report. As you can see, the content of the notice, regardless of when it has been sent to data subjects, will also end up at PUODO, and the authority will assess whether its contents meet the GDPR requirements and are adequate to the committed breach.
Should PUODO conclude that the contents of the notice do not meet the legal requirements (for example, it incompletely describes the risks involved in the breach or the measures that the data subject can take to minimise the negative effects of the breach), PUODO may order the controller to resend a corrected notice.
What if the controller does not have the contact details of the persons affected by the breach:
As PUODO points out in its Breach handbook on breaches,
if the controller is unable to notify a given data subject of a breach because the information the controller has is insufficient to contact that individual, then, in such particular case, the controller should inform the individual of the breach as soon as reasonably practicable (for example, if the individual exercises the right under GDPR Article 15 to access his/her personal data and provides the controller with the additional required contact information).
What information should the notification convey:
The notification should describe the nature of the data breach and, in addition, at least:
Contain the name and contact details of the data protection officer (if one had been appointed by the controller) or an indication of another contact point from which further information can be obtained;
Describe possible consequences of a personal data breach;
Describe the measures taken or proposed by the controller to address the personal data breach, including, where appropriate, measures to minimise its possible adverse effects.
The scope of information to be provided to data subjects is quite broad. It may be difficult to present it in a manner that is complete and, at the same time, simple and easily understood. At the same time, there is no official notice form or template. The controller should create the contents of the notice on his/her own.
PUODO’s handbook on breaches may prove to be a very useful and practical aid here, as it in particular points out the frequent mistakes that controllers make when submitting breach notifications. The supervisory authority has described in detail in the handbook what information in its opinion should be provided to data subjects in connection with a committed breach (for example, the handbook provides examples of descriptions of possible consequences and proposed measures to minimise the effects of the breach). In practice, the authority does in fact often verify whether the controller has taken into account in the notification the examples provided in the handbook (on the condition, of course, that they have been applicable in the circumstances).
It is also imperative for controllers when creating a notification to bear in mind the need for consistency between the information contained in the breach report addressed to PUODO and a breach notification addressed of a data subject.
The implementation of breach notification obligations is the subject of PUODO’s interest:
The correct implementation of data breach notification obligations quite often raises PUODO’s interest. PUODO’s following decisions may be cited as examples of cases in which the authority has imposed penalties in connection with irregularities in the implementation of these obligations:
Commentary to art. 34
Communication of a personal data breach to the data subject:
When should a data breach be communicated to the data subject:
The data controller should communicate the breach to the person affected if the controller determines that the breach is likely to result in a high risk of violation of the rights or freedoms of natural persons. For more information on the risk assessment of a breach, see the Commentary to GDPR Article 33. At this point, from a practical point of view, it is only worth noting in addition the existing specific approach of the GDPR to breaches that concern the PESEL number. If the breach concerns the PESEL number, it can be assumed that, in the assessment of the GDPR, it will probably involve a high risk of infringement of the rights or freedoms of natural persons, which triggers the need to communicate the breach to data subjects affected by it.
If a controller reports a breach to PUODO and, at the same time, assesses that the breach does not need to be communicated to data subjects, it may be that the PUODO will challenge such assessment and order the controller to communicate the breach (usually after requesting the controller to produce a document confirming that a breach risk assessment has been carried out together with information on the assessment methodology used). In such a situation, one cannot rule out the risk of the authority concluding that the failure to communicate or the failure to perform the breach risk assessment properly constitutes a breach of the GDPR, which may expose the controller to administrative and legal liability.
When is a communication not necessary despite the high risk of a breach:
Under the GDPR, communication of a breach to data subjects is not required despite the fact that the breach may result in a high risk of violation of the rights or freedoms of natural persons in the following cases:
If the controller opts out of communicating the breach to data subjects based on one of the aforementioned exemptions, it is advisable for him/her to adequately justify and document his/her decision, in particular for possible questions from a supervisory authority that may challenge the validity of the exemption. The assessment of whether an exemption applies in a given case should be made on a case-by-case basis.
As examples of situations where exemptions may apply, PUODO pointed out as follows in its Breach Guide:
How should the communication be sent:
The GDPR does not specify in which form the communication should be sent to data subjects.
According to PUODO’s handbook on breaches:
With regard to the form of notification, it is worthwhile to additionally refer to the information contained in the European Data Protection Board's guidelines on breaches (Guidelines 9/2022 on personal data breaches under GDPR, Version 2.0, Adopted 28 March 2023), according to which:
It is furthermore advisable that the language in which the communication will be drafted should be comprehensible to the data subject. This means that in certain situations, for example when the communication will be sent to foreigners, it may be necessary to draft the communication in other language(s) besides Polish. This also means that technical jargon must be avoided.
When should the notice be sent:
The controller should send a personal data breach notice to data subjects as soon as he/she becomes aware that the breach is likely to result in a high risk of interference with the rights or freedoms of natural persons. According to PUODO’s handbook on breaches, “as soon as” should mean “as soon as reasonably practicable”. More information on the “point in time when the breach is identified”, see the commentary to GDRP Article 33.
Notices to data subjects may be sent either before or after the breach is reported to the supervisory authority. If the notice is sent before the breach is reported to the authority, PUODO will expect to receive, together with the notification of the breach, a copy of the sent notice (along with information on the date when it was sent to data subjects and by what means). If the notice is sent after the breach is reported to PUODO, the latter will expect the controller to send it the notice as a follow-up report. As you can see, the content of the notice, regardless of when it has been sent to data subjects, will also end up at PUODO, and the authority will assess whether its contents meet the GDPR requirements and are adequate to the committed breach.
Should PUODO conclude that the contents of the notice do not meet the legal requirements (for example, it incompletely describes the risks involved in the breach or the measures that the data subject can take to minimise the negative effects of the breach), PUODO may order the controller to resend a corrected notice.
What if the controller does not have the contact details of the persons affected by the breach:
As PUODO points out in its Breach handbook on breaches,
What information should the notification convey:
The notification should describe the nature of the data breach and, in addition, at least:
The scope of information to be provided to data subjects is quite broad. It may be difficult to present it in a manner that is complete and, at the same time, simple and easily understood. At the same time, there is no official notice form or template. The controller should create the contents of the notice on his/her own.
PUODO’s handbook on breaches may prove to be a very useful and practical aid here, as it in particular points out the frequent mistakes that controllers make when submitting breach notifications. The supervisory authority has described in detail in the handbook what information in its opinion should be provided to data subjects in connection with a committed breach (for example, the handbook provides examples of descriptions of possible consequences and proposed measures to minimise the effects of the breach). In practice, the authority does in fact often verify whether the controller has taken into account in the notification the examples provided in the handbook (on the condition, of course, that they have been applicable in the circumstances).
It is also imperative for controllers when creating a notification to bear in mind the need for consistency between the information contained in the breach report addressed to PUODO and a breach notification addressed of a data subject.
The implementation of breach notification obligations is the subject of PUODO’s interest:
The correct implementation of data breach notification obligations quite often raises PUODO’s interest. PUODO’s following decisions may be cited as examples of cases in which the authority has imposed penalties in connection with irregularities in the implementation of these obligations:
https://uodo.gov.pl/decyzje/DKN.5131.8.2021
https://uodo.gov.pl/decyzje/DKN.5110.12.2021
https://uodo.gov.pl/decyzje/DKN.5131.33.2021