Logo biura

Office Infoline 606-950-000

Office Infoline 606-950-000

ikona tłumacz ikona flaga polska ikona kontakt
Codes and certification
Complaints
Data Protection Officer
GDPR in practice
Controller
Inspections
Obligations related to data breach notifications
Risk analysis (more in Polish)
Records of processing activities (more in Polish)
Prior consultation
DPO notification forms
Other forms
Ikonka home dla okruszków  » Main issues  » Controller  » Obligations related to data breach notifications

When the notification of a personal data breach to the President of the PDPO shall not be required?

Article 33 (1) GDPR states that when ”the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons” the controller is not obliged to notify the breach to the supervisory authority.

Under Article 33 GDPR, not all personal data breaches are related to the breaches of rights and freedoms of natural persons. The notification obligation, referred to in abovementioned article, concerns only those breaches which are likely to result in a high risk to the rights and freedoms of natural persons.

 

Example I: An employee of a law firm accidentally takes away folder with unsecured personal data, including special categories of personal data. After a while he realizes that he made a mistake and comes back, returning the folder. Described behaviour breached data protection rules but did not result in a risk to the rights and freedoms of natural persons, whose data have not been made available.

 

Example II: The controller loses securely encrypted pendrive. The encryption key remains within the secure possession of the controller and this is not the sole copy of the personal data. In such situation, the personal data would be inaccessible to an attacker, which means that the breach is unlikely to result in a risk to the rights and freedoms of the data subjects.

 

An analysis of each situation shall be conducted with reflection and caution. Change of any of the key elements may lead to a different conclusion. If, in the situation described in Example II, it later becomes evident that the encryption key was compromised or that the encryption software or algorithm is vulnerable, then the risk to the rights and freedoms of natural persons will change and thus notification to the President of the Personal Data Protection Office may now be required. Also when the breach occurs and the controller has no adequate backup of the personal data, such incident shall be considered as a loss of availability being a risk to the rights and freedoms of natural persons and shall be notified to the supervisory authority.

2018-08-09 Metadane artykułu
Inne aktualności
  • Infoline (in Polish)
  • 606-950-000
  • Operates on weekdays from
    10.00 a.m. – 2.00 p.m.
Logo biura
  • Urząd Ochrony Danych Osobowych
  • ul. Stawki 2, 00-193 Warszawa
  • kancelaria@uodo.gov.pl
  • Working hours of the office:
    8 a.m. – 4 p.m.
© UODO 2018 - 2022 Copyright
Privacy Policy | Home page | Contact
© UODO 2018 - 2022 Copyright
Privacy Policy | Home page | Contact
© UODO 2018 - 2022 Copyright
Privacy Policy | Home page | Contact