How to assess a personal data incident?

by Grzegorz Gęborek

12 October 2021

Personal data breaches may happen to any organisation. Depending on numerous factors such as the reasons, extent or risk of certain ramifications, they may trigger specific GDPR obligations for data controllers.

In case of a breach, the key is the deadline for the data controller to assess the case by gathering the necessary data and carrying out a risk analysis. The statutory deadline for reporting a breach to the supervisory authority (72 hours) may prove insufficient. Failure to fulfil or improper fulfilment of that obligation may entail administrative penalties.

We are seeing a lot of such administrative penalties imposed by the President of the Personal Data Protection Office in 2021 be it for failure to report a personal data breach or for complete lack of cooperation with the supervisory authority. The actual fines are nowhere near the upper limit stipulated in the GDPR and rather range from 20 to 100 thousand zloty. Decisions of the Personal Data Protection Office include valuable hints for data controllers on how to assess and handle personal data breaches and cooperate with the supervisory authority.

Each and every personal data breach should be approached individually.  Yet, most such breaches exhibit certain patterns and regularities which affect the obligations of data controllers. Noteworthy are EDPB guidelines 1/2021 on examples of data breaches presented for public consultations in the first quarter of 2021. The guidelines try to catalogue examples of breaches and include assessment of data controller's obligations including the decision on whether to report a breach to the supervisory authority and notify affected data subjects.

The decision on whether to report a personal data breach to the President of the Personal Data Protection Office (abbreviated as PPDPO) and the affected data subjects is up to the data controller. If he/she decides not to report an incident, the risk of a different assessment of the case by the authorities rests with him/her. Particularly important is the documentation of the whole process, including the risk analysis which substantiates the decision not to report a breach to the PPDPO).

Case studies

A study of several decisions issued by the PPDPO in 2021 delivers a few interesting conclusions:

1. Uncritical approach may be detrimental to the data controller. Any leak of personal identification numbers (PESEL) causes a high risk of a violation of rights and freedoms.

This was the case with a foundation which was slapped a fine of 13 thousand zloty for not reporting a personal data breach without undue delay and not notifying the affected individuals (https://uodo.gov.pl/pl/138/2118).

The data controller claimed that their internal procedure showed a low risk of violation of rights and freedoms. The President of the Personal Data Protection Office disagreed. The lost data concerned 96 people and in addition to common data the lost documents included PESEL numbers. According to the rather well-established position of the PPDPO, every leak of personal data containing PESEL numbers triggers a high risk.
The supervisory authority raised its suspicions because the foundation’s risk analysis was not done properly.

2. The President of the Personal Data Protection Office will check the methodology of the risk analysis and will challenge it if wrong. A risk analysis must be reliable and not done solely to justify no need to notify the PPDPO and affected individuals.

One insurance company learnt it the hard way (https://uodo.gov.pl/pl/138/2096) after the PPDPO fined it 160 thousand zloty for failure to report a personal data breach. Moreover, the company was fined for its failure to notify the affected data subject, as requested by the supervisory authority. The authority stressed that the data controller carried out the risk analysis using its own form. At the same time, the PPDPO challenged the company’s risk analysis claiming that it was not carried out properly.

The main problem was not about errors in the analysis but about:

• understating results in individual categories;
• ignoring significant factors in individual criteria;
• accounting for factors which should have been ignored.

The authority concluded that the analysis was not useful for the evaluation if a data breach needed to be reported to the PPDPO and affected data subjects. The authority ruled that the analysis focused on justifying the lack of the obligation to notify the supervisory authority and the individuals.

3. Lack of cooperation with the President of the Personal Data Protection Office or hindering the inspection may lead to a fine.

The PPDPO has imposed relatively many penalties in 2021 on entities which have not cooperated or have refused to cooperate with the authority. The fines hover around 22 thousand zloty. Noteworthy is the judgment of the Provincial Administrative Court in Warsaw of 23 February 2021 which fully backed the position and arguments which the PPDPO raised in his decision imposing a fine of 100 thousand zloty on the Surveyor General of Poland for preventing an inspection. The court criticised also the Surveyor General’s actions related to the cooperation with the Personal Data Protection Office and all his arguments raised in the appeal against the supervisory authority’s decision.