ODO24 Logo
ODO24 Logo
ODO24 Logo

Knowledge

Master GDPR
ABC GDPR
Category:
Incidents and Fines
- all categories -
Data Processing
Documentation and Procedures
DPO Challenges
GDPR at Work
Incidents and Fines
Risk
UODO

When and to whom must a personal data breach be reported?

FORMAL ANSWER

In the event of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the supervisory authority, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

If the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the breach to the data subject without undue delay. Communication is not required if: 1. the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the breach; 2. the controller has subsequently taken measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise; or 3. it would involve disproportionate effort. In such a case, a public communication or similar measure shall be used instead.

PRACTICAL ANSWER

In the event of an incident, you should eliminate its effects as quickly as possible, describe the circumstances and the planned response, and — if there is such an obligation — report the breach together with the required documentation without undue delay, within 72 hours, to the supervisory authority and to the individuals whose data are affected by the breach. A breach is not reported to the supervisory authority if it is unlikely that the incident (e.g. loss of data) could result in an infringement of the rights of natural persons. A breach is not reported to the individuals whose data are affected by the incident if the controller: 1. is able to demonstrate that there is no high risk to their rights; 2. has appropriately secured the data affected by the breach, e.g. by preventing access by unauthorised persons; or 3. has eliminated the likelihood of a high risk to the rights of the individuals whose data are affected by the incident. If notifying all individuals would require disproportionate effort, a public communication or an equally effective means of communication may be used as an alternative.

Regardless of whether the incident is reported, it must be recorded.

MORE:

Show all
PreviousNext
Receive a free package of 4 tutorials and 4 e-learning trainings
The controller of your data is ODO 24 sp. z o. o.
When and to whom must a personal data breach be reported? | ODO 24