1.1 In the event of a data breach affecting residents of your country, is there any legal obligation or requirement to notify either a) affected individuals; or b) a regulator such as a data protection authority (DPA)?
Yes, the data breach has to be reported as set forth in Articles 33 and 34 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR).
In addition, additional reporting obligations may arise from specific laws. In particular, the providers of publicly available telecommunication services are obliged under Polish Telecommunications Law to notify the DPA of every personal data security breach pursuant to the provisions of Commission Regulation (EU) No 611/2013 of 24 June 2013 on the measures applicable to notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications. Where a personal data breach may adversely affect the rights of a subscriber or an end user, being a natural person, providers of publicly available telecommunications services shall also notify the subscriber or the end user, unless the controller has demonstrated implementation of technological protection measures which prevent the data from being read by unauthorised persons, and the application of those measures to the data that has been breached.
Other legal acts which provide further specific regulations on notification of data breaches are as follows:
- The act of 14 December 2018 on the protection of personal data processed in regards to the crime prevention – provisions of the Act provide specific regulation on data breach notification – the main difference is the 48-hour limit for the processor to inform the data controller on the breach; the notification period for the controller remains as in the GDPR;
- Commission Implementing Regulation (EU) 2015/1501 of 8 September 2015 on the interoperability framework pursuant to Article 12 (8) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market – pursuant to Article 19 (2) of the Regulation, trust service providers shall, without undue delay but in any event within 24 hours of having become aware of it, notify the supervisory body and, where applicable, other relevant bodies of any breach of security or loss of integrity that has a significant impact on the trust service provided or on the personal data maintained therein;
- The act of 5 July 2018 on the national cybersecurity system – the Act imposes the obligation of cooperation with governmental cybersecurity authorities, private entities and the Polish data protection authority.
1.2 Under what conditions must such notification(s) be given, including a) what types of data must be breached to trigger notification; and b) whether the entity must be a data controller or data processor in your country for such obligations to apply?
Every breach of personal data which may result in a risk to the rights and freedoms of natural persons has to be notified to the DPA.
Pursuant to the practice of the Polish and European authorities, disclosure of data such as:
- national identification number (PESEL number) with name and address of residence;
- the data stated in vehicle insurance documentation (e.g. VIN number, license plates, insured status and details);
- data regarding health;
- credit card data;
will result in risk to the rights and freedoms of the data subject. The regulator points out that breach of the same data may result in different levels of risk depending on the circumstances of the case.
The notification obligations apply to data controllers. Processors are obliged to inform data controllers of any data breach without undue delay after becoming aware of it (Article 33 (2) GDPR) and to support the controller in ensuring compliance with the notification obligations (Article 28 (3) lit. f) GDPR).
Pursuant to the provisions of Polish data protection law, the processor is not required to notify the individuals of a data breach – but, as mentioned above, is obliged to provide the controller with information on the data breach. Polish regulation does not provide a procedure for the notification of the data controller by the processor, but the notification should contain the information which is required by the provisions of law and should be made within a period which enable the notification of the DPA (and data subject) within 72 hours.
1.3 For such notification(s), is there any required or suggested a) content of the notice; b) time period in which notice must be given; or c) method of giving notice, such as regular mail, email, web-posting or publication?
The controller is obliged to notify the DPA within 72 hours of becoming aware of the data breach. If there is any delay of the notification, the data controller has to explain why it did not notify the breach within the statutory period.
The notification to the DPA required in the above mentioned cases should consist of:
- a description of the nature of the personal data breach (including the categories and approximate number of data subjects and personal data records concerned);
- information on the name and contact details of the data protection officer or other contact point where more information can be obtained;
- a description of the likely consequences of the personal data breach;
- a description of measures taken or proposed by the controller to address the personal data breach (including, where appropriate, measures to mitigate its possible adverse effects).
The data controller may notify the DPA of the data breach by sending a completed form by regular mail to the address of the Office, as well as by the use of the Electronic Platform of Public Administration Services (ePUAP) or an electronic signature.
Notification to the data subject shall describe in clear and plain language the nature of the personal data breach and contain at least information on:
- the name and contact details of the data protection officer or other contact point where more information can be obtained;
- likely consequences of the personal data breach;
- the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
There are no specific methods of giving notice to the data subject in addition to what is stated in the GDPR. However, the communication should be effective. In most cases, the notice is given by phone and email/post.
As mentioned above, specific regulations may provide other requirements, e.g. Polish Telecommunications Law provides specific notification obligations which provide that the notification of the personal data breach to the DPA should be made no later than 24 hours after the detection thereof – if providing the required information is not possible, the data controller should notify the authority with the available information and then – within 3 days after the initial notification – inform the authority with the outstanding information. The content of the notification to the competent national authority, as well as of the notification of the individuals is provided in Annex I and Annex II to Regulation 611/2013.
1.4 What are the penalties, fines or risks in failing to notify, either by the DPA or in litigation?
Failure to provide the DPA or data subject – pursuant to the provisions of the GDPR – may cause imposition of administrative fines up to EUR 10,000,000, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. We would like to note that the above mentioned amounts constitute the upper limit of possible fines – at present the Polish DPA has not imposed a fine which would be higher than PLN 3,000,000 (about EUR 70,000), but this penalty was imposed due to the high risk breach of data protection – not due to the failure of the notification and the court of first instance annulled the fine and requested that the DPA shall reassess the level of the penalty.
Polish Telecommunications Law provides specific regulation on possible penalties for failure of notification of the personal data breach - the provider of publicly available telecommunications services is subject to financial penalties for the violation of notification duties towards end users, as well as the DPA. In the case of non-performance, the President of the Office of Electronic Communications ("OEC") may impose a financial penalty (max. 3 % of the revenue generated in the preceding financial year) on the provider.
1.5 Even if there is no current legal obligation to do so, or if there is no "data controller" or "data processor" located in your country, is notification to individuals recommended in the event of a data breach affecting residents in your country (such as in credit card data breaches)?
Pursuant to Article 3 (2) of the GDPR, the provisions of the GDPR shall also apply to the data processing of subjects who are in the EU by a controller or processor who is not established in the EU, if the data is proceeded regarding goods and/or services offered as well as regarding the monitoring of the data subject’s behaviour which takes place within the EU.
If the controller detects any breach of personal data, it should verify a possible risk of violation of the rights and freedoms of natural persons. If the controller does not find any risks of a violation of the rights and freedoms of natural persons, it is not required to notify the breach. However, the supervisory authority may ask the controller to explain the lack of notification – therefore the controller should store the documentation of the analysis.
If there is a risk of violation of the rights and freedoms of natural persons, it is recommended to notify such individuals, even if the data controller or data processor are not located in Poland.
1.6 What are the applicable (data protection) laws or guidelines within your country?
The main laws which regulate personal data protection in Poland are, as follows:
- The General Data Protection Regulation (Regulation (EU) 2016/679)
- The Act of 10 May 2018 on the Protection of Personal Data; available in a Polish version and an English version
- Act of 26 June 1974 – Labour Code
- Act of 16 July 2004 – Telecommunications Law
Polish and European regulators published guidelines on personal data protection which provide interpretation of the provisions of law e.g.:
- Guidelines for controllers on the data breach notification procedure
- Guidelines on Personal data breach notification under Regulation 2016/679 (wp250rev.01)
1.7 Contact information for the local Data Protection Authority:
President of the Personal Data Protection Office
ul. Stawki 2, 00-193 Warsaw, Poland
+48 22 531-03-00
+48 22 531 03 01
For more information, contact:
Sołtysiński Kawecki & Szlęzak
ul. Jasna 26, 00-054 Warszawa, Poland
+48 22 608 7006
+48 22 608 7070