Communicating a personal data breach to natural persons

Securing personal data against potential malware attacks is particularly tough. Therefore, every personal data controller must take into account the risk of personal data breach at one of the processing stages. That is why, in addition to implementing appropriate safeguards, data controllers should also be aware of their obligations in the case of a breach. 

Breaches may have different natures and different consequences. In particular, they can affect the confidentiality of data, which means the data are disclosed or made available to an unauthorised entity. This is the most typical case of a personal data breach and, at the same time, it poses the greatest threat.

A breach may also concern the integrity of personal data (e.g. when unauthorised changes are made to the data) or their accessibility (e.g. when an authorised person cannot use the data).

Regardless of the nature of the breach, data controller will need to consider whether a given incident must be communicated to the data subject. Data controller may be obliged to notify the supervisory authority as well. 

Pursuant to Articles 33 and 34 of the GDPR, in the case of a personal data breach, the controller must notify the personal data breach to two parties: the supervisory authority and the data subjects. The circumstances triggering the obligation to communicate the breach to natural persons are somewhat different than in the case of the obligation to notify the supervisory authority.

The supervisory authority must be notified of each case of breach except where the risk of violation of the rights and freedoms of individuals is low. When it comes to natural persons, in turn, the data controller must communicate the breach to them when the risk of violation of the rights and freedoms of data subjects turns out high. This leads to a conclusion that data controllers are much more frequently obliged to communicate cases of personal data breach to natural persons than to the President of Personal Data Protection Office.

To identify data controller’s obligations in a specific case, the data controller should carry out a risk analysis and impact assessment. The type of data affected by the breach, its nature, extent and potential consequences need to be investigated.

If the risk of violation of the rights and freedoms of natural persons is high, the data controller should communicate the breach not only to the President of the Personal Data Protection Office, but also to natural persons. If the risk does not prove high, the data controller will not need to communicate the breach to the data subject.

The high risk is when e.g. Polish personal identification number PESELs together with first and last name and insurance documents, particular person’s data concerning health, are published on the Internet. A breach which the President of the Personal Data Protection Office has found to be low-risk to the rights and freedoms is, among others, employer’s loss of employee’s work record certificate. The President of the Personal Data Protection Office claims that work record certificates do not contain data which could lead to violation of the rights or freedoms so the natural person do not need to be notified of the breach. 

An incident which does not lead to the disclosure of personal data but only to loss of access to them may spark greater doubts. In such cases, the risk to the rights and freedoms of data subjects will be high much less frequently. Nonetheless, case-by-case assessment may lead to different conclusions, in particular if we are dealing with significant data concerning health and if these data are inaccessible for a longer time. 

Article 34(3) of the GDPR defines exceptions to the above-mentioned circumstances triggering the obligation to communicate the breach to data subjects. 

Even if personal data are breached and the analysis shows a high risk of violation of the rights and freedoms of a natural person, there are still cases when the data controller is not obliged to notify the natural person of the breach. This applies if and when: 

Due to the variety of potential personal data breaches, each case requires an individual approach and a separate analysis. Of course, it is always a good idea to implement appropriate data security measures before a breach occurs. However, it is often the detailed analysis of the breach which shows what additional data protection measures should have been taken by the enterprise. It is also worth including in the analysis the issue of the obligation to communicate the breach to the supervisory authority and to data subjects. That is because notifying data subjects of a breach meets an important objective, which, according to recital 86 of the preamble to the GDPR, is to allow natural persons to take the necessary precautions against the potential consequences of the breach.