Page 1

Reporting
athe
violation
File
aSecurity
complaint
personalto
data
protection
Personal
Data Office
Inspector's
applicationData
Contact
with theUODO
inspector
Data
Protection
Personal
(DPO)
Protection

Enter the phrase you are looking for

Applications,
conclusions,
Applications,
conclusions,
petitions - general
petitions
letter
- general
letter
from
natural
persons
Contact
with
Request
theinformation
team
for sharing
Press (for
public
media)

Office helpline 606-950-000

President and Office

Right

Education

Administrator

Tutorials

contact

» Top topics » Administrator »Obligations related to personal data breaches

Complaints

Data Protection Officer

Cooperation

How controllers should handle data breaches
The lack of access by the administrator to personal data is also a breach of protection
data - this is one of the reminders contained in a special information material
UODO regarding this issue.

Tutorials
From May 25, 2018 to May 25, 2019, administrators, fulfilling the obligation
Controls

resulting from art. 33 paragraph 1 of the General Data Protection Regulation (GDPR),
reported 4 539 breaches of protection to the President of the Personal Data Protection Office

Violation Obligations
personal data protection

personal data. Two-thirds of the notifications came from administrators
from the private sector and one-third from public sector administrators.
In the case of the private sector, the largest number of applications came from companies:
telecommunications, insurance, financial, banking and services

Risk analysis

health. In the public sector, notifications of incidents with personal data
the most frequent submissions were local government units, schools, kindergartens and nurseries

Recording of processing activities

and health care facilities.
Our annual experience in the field of receiving and analyzing notifications of personal data breaches shows that

List of types of operations requiring

controllers continue to have difficulties assessing the risks to the rights and freedoms of data subjects they may pose

impact assessments

a given event or whether it is a breach of data protection at all, as provided for in Art. 33 GDPR. And this is the case, for example
loss of access to the data being processed. However, such a situation may arise when the system is infected

Revised list of types of operations
requiring an impact assessment

ransomware virus that encrypts, for example, access to entire databases, and sometimes their backups.
All incoming data breach reports are scrupulously analyzed, and when there is a need to obtain further ones
information - the Personal Data Protection Office establishes quick, often also by phone, contact with administrators and their designated security inspectors

Prior consultation

Helpful tools

Codes and certification

data.
Meetings with other expert entities, such as CSIRT NASK, also serve to exchange experiences and information as well as improve practices
in the field of detection and prevention of violations related to IT infrastructure.
Our experience from the first year of application of the GDPR provisions in the field of personal data breaches and developed
Based on these experiences, we have included guidelines for data controllers and data protection officers in a special material

DPO-related forms

entitled "Responsibilities of controllers related to personal data breaches", available below. We have
I hope that it will be helpful in improving administrators' practices in this area.

Other forms

2019-05-30

Attached files
Administrators' obligations related to personal data breaches

President and Office

UODO hotline

Office for Personal Data Protection

News

606-950-000

ul. Stawki 2, 00-193 Warsaw

Right

open on business days from 10: 00-14: 00

kancelaria@uodo.gov.pl

Education

Working hours: 8.00-16.00

Schengen
Cooperation
Public procurement
Archive giodo.gov.pl
© UODO 2018 - 2021 All rights reserved.

Privacy Policy | Home | Contact | Fortress

