We use cookies to personalise the website and offer you the greatest added value. They are, among other purposes, used to analyse visitor usage in order to improve the website for you. By using this website, you agree to their use. Further information can be found in our data privacy statement.

Communicating a personal data breach to natural persons


by Maciej Ogórek

10 August 2022

Ensuring an appropriate level of personal data protection is one of the main responsibilities of personal data controllers. This can be achieved using appropriate procedures and technical measures. However, sometimes even the advanced protection methods do not guarantee security.

Securing personal data against potential malware attacks is particularly tough. Therefore, every personal data controller must take into account the risk of personal data breach at one of the processing stages. That is why, in addition to implementing appropriate safeguards, data controllers should also be aware of their obligations in the case of a breach. 

Personal data breach

Breaches may have different natures and different consequences. In particular, they can affect the confidentiality of data, which means the data are disclosed or made available to an unauthorised entity. This is the most typical case of a personal data breach and, at the same time, it poses the greatest threat.

A breach may also concern the integrity of personal data (e.g. when unauthorised changes are made to the data) or their accessibility (e.g. when an authorised person cannot use the data).

Regardless of the nature of the breach, data controller will need to consider whether a given incident must be communicated to the data subject. Data controller may be obliged to notify the supervisory authority as well. 

When must a breach be communicated to the data subject?

Pursuant to Articles 33 and 34 of the GDPR, in the case of a personal data breach, the controller must notify the personal data breach to two parties: the supervisory authority and the data subjects. The circumstances triggering the obligation to communicate the breach to natural persons are somewhat different than in the case of the obligation to notify the supervisory authority.

The supervisory authority must be notified of each case of breach except where the risk of violation of the rights and freedoms of individuals is low. When it comes to natural persons, in turn, the data controller must communicate the breach to them when the risk of violation of the rights and freedoms of data subjects turns out high. This leads to a conclusion that data controllers are much more frequently obliged to communicate cases of personal data breach to natural persons than to the President of Personal Data Protection Office.

Risk analysis and impact assessment of a personal data breach 

To identify data controller’s obligations in a specific case, the data controller should carry out a risk analysis and impact assessment. The type of data affected by the breach, its nature, extent and potential consequences need to be investigated.

If the risk of violation of the rights and freedoms of natural persons is high, the data controller should communicate the breach not only to the President of the Personal Data Protection Office, but also to natural persons. If the risk does not prove high, the data controller will not need to communicate the breach to the data subject.

The high risk is when e.g. Polish personal identification number PESELs together with first and last name and insurance documents, particular person’s data concerning health, are published on the Internet. A breach which the President of the Personal Data Protection Office has found to be low-risk to the rights and freedoms is, among others, employer’s loss of employee’s work record certificate. The President of the Personal Data Protection Office claims that work record certificates do not contain data which could lead to violation of the rights or freedoms so the natural person do not need to be notified of the breach. 

An incident which does not lead to the disclosure of personal data but only to loss of access to them may spark greater doubts. In such cases, the risk to the rights and freedoms of data subjects will be high much less frequently. Nonetheless, case-by-case assessment may lead to different conclusions, in particular if we are dealing with significant data concerning health and if these data are inaccessible for a longer time. 

Exceptions to the notification obligation

Article 34(3) of the GDPR defines exceptions to the above-mentioned circumstances triggering the obligation to communicate the breach to data subjects. 

Even if personal data are breached and the analysis shows a high risk of violation of the rights and freedoms of a natural person, there are still cases when the data controller is not obliged to notify the natural person of the breach. This applies if and when: 

  • the data controller has implemented appropriate technical and organisational measures and those measures were applied to the personal data affected by the breach (e.g. the data affected by the breach were secured in a manner that renders the personal data unintelligible to any person who is not authorised to access them);
  • following the breach, the controller has taken measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise;
  • notification of data subjects would involve disproportionate effort. In such a case, relevant communication or similar measure should be used whereby the data subjects are informed in an equally effective manner.

Case-by-case approach to breaches

Due to the variety of potential personal data breaches, each case requires an individual approach and a separate analysis. Of course, it is always a good idea to implement appropriate data security measures before a breach occurs. However, it is often the detailed analysis of the breach which shows what additional data protection measures should have been taken by the enterprise. It is also worth including in the analysis the issue of the obligation to communicate the breach to the supervisory authority and to data subjects. That is because notifying data subjects of a breach meets an important objective, which, according to recital 86 of the preamble to the GDPR, is to allow natural persons to take the necessary precautions against the potential consequences of the breach.


Contact Person Picture

Jarosław Kamiński

Attorney at law (Poland)


+48 694 207 482

Send inquiry


Deutschland Weltweit Search Menu