After almost 3 years with General Data Protection Regulation, there is still big uncertainty among businesses regarding their particular obligations in case of a data breach. Under the GDPR, any incident resulting in the destruction, loss, alteration, or disclosure of personal data is a data breach and its occurrence triggers the controller’s obligation to examine the breach and, in some cases, to notify Data Protection Authority (DPA) and inform data subjects whose personal data the breach concerned. In case the breach poses risks to data subjects (of a monetary loss or physical harm) the controller is obliged to notify the DPA within 72 hours. In addition, in case the risks identified by the controller are particularly high, it is also necessary to inform the data subjects.
Recently Polish DPA issued decisions regarding the data breach notifications which were quite controversial. As an example, in one of the cases the scale of the breach was quite insignificant (mail send by mistake to the wrong receiver). The company identified the incident as data breach, however, with no risk to data subject identified, it decided not to notify the DPA. The conclusion reached by the DPA (after the proceeding initiated by the e-mail receiver) was different – it found that not only did the breach pose risk to data subjects but that the risk was high and that also the data subject should have been notified.
During the espresso, our Polish expert, Karolina Miksa will present more details about the Polish cases and discuss, if, to avoid sanctions, the companies should consider notifying any data breaches to the DPA.