So in your opinion, will every breach involving a PESEL number require notification to the authority and notification of the data subject?

ANSWER

Having regard to the practice of the President of PUODO concerning breaches involving PESEL numbers, a cautious approach to their assessment is strongly recommended. In practice, this means that in case of any doubts regarding the assessment of the breach and the potential risk to the rights and freedoms of individuals, the recommended course of action will be to report the incident to the authority.

In this regard, the following position of the President of PUODO is key (PUODO guide "Controller obligations related to personal data breaches" https://uodo.gov.pl/pl/134/1029 – p. 17 of the document):

However, a breach cannot be assessed in isolation from the specific factual circumstances. The processing context itself will be decisive here. In the guide referred to above, the President of PUODO also gives an example of a situation in which the breach involved a PESEL number but there was no need to notify the supervisory authority:

"An employee of the controller discarded HR and financial documents (containing, among other things, data such as: name, surname, PESEL, residential address, information on remuneration) in a waste container. The controller found that a data breach had occurred. However, given: - the short period between the occurrence and discovery of the breach, - the closed premises of the workplace, - monitoring of waste containers, - immediately taken remedial actions, despite the seriousness of the event and in particular the scope and categories of data, the likelihood of harm materialising for the data subjects (e.g. use of the data to fraudulently obtain insurance) was assessed as low."