S16_Header_300x250
beLikeStacey-01
IAPP_StudyGuideAD

Until recently, under the Polish legal framework it was not necessary to report a personal data breach to data subjects or the Polish Data Protection Authority (DPA). Cases of data breaches were analysed ad-hoc by the regulator by sending its officers to the data controllers’ seat—or any other entity—and verifying the security measures and internal procedures that were implemented.

The law was partially amended by the implementation of new rules by an act of 21 December 2012 on the change of the telecommunications law and other legal acts. Changes related to data breaches will enter into force by 22 March.

It should be noted that the rules described below in detail apply to entities providing telecommunications services in Poland in the meaning of the Polish telecommunications act.

What constitutes a breach?

The amended law provides a classification of possible breaches. According to the act on telecommunications law, a “breach” is the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data processed by a telecommunications provider. In other words, even the accidental destruction of personal data should be reported, according to the law.

The second category of a breach is “a breach that may have an adverse effect on the rights of the subscriber or end-user being an individual.” It is defined as a breach that “may, in particular, result in the unauthorised use of personal data, damage to property, violation of personal rights, violation of bank secrecy or other statutorily protected professional secrecy.” This definition is broad; i.e., the catalogue of cases where a breach may be considered “serious” is open.

A proper analysis of a breach and its right classification will result in a different procedure and requirements being applicable to a data controller.

Who is required to notify and who should be notified?

According to the amended law, an entity providing publicly available telecommunications services is required to notify a “breach of personal data.” This requirement is therefore true only for entities that offer services which mainly consist of the transmission of signals via a telecommunications network, in general.

The aforementioned breach should be notified within a timeframe specified in the law to the Polish DPA, which gained new powers under the amended law. The breach should be notified immediately, not later than three days after the breach is discovered.

In case of a “serious breach,” as described above, a telecommunications provider should notify each of the subscribers or end-users within three days of discovering such a breach. This notification is in addition to the notification to the DPA. This means that not only the DPA should be notified, but also each of the data subjects individually.

If the telecommunications provider implemented technical and organisational measures preventing access to data by unauthorised persons and applied them to the data that was subject to the breach, it is not necessary to notify the data subjects about the breach.

If the telecommunications provider fails to notify the data subjects about a breach, as described above, the Polish DPA may issue a decision imposing an obligation on such provider to provide data subjects with a proper notification, taking into consideration possible adverse effects of such a breach.

What should be included in the notification?

The mandatory elements of the notification are provided in the amended telecommunications law. However, the act provides only the minimum standard for the notification, as it may be broader than provided in the act.

If the notification is addressed only to the Polish DPA, it should include at least the following elements:

  • A description of the nature of the personal data breach and assumed risk of infringement;
  • Contact details of providers of publicly available telecommunications services, in order to obtain information concerning the violation of data protection;
  • Information on recommended measures to mitigate possible adverse consequences of a breach of personal data;
  • Information on the measures taken by providers of publicly available telecommunications services;
  • Information about the fact of informing or not informing the subscriber or end-user, being an individual, a personal data breach occurred;
  • A description of the consequences of a breach of personal data;
  • A description of remedies offered by the provider of publicly available telecommunications services.

The notification towards data subjects (subscribers or end-users) should include at least the following elements:

  • A description of the nature of the breach of personal data;
  • Contact details of providers of publicly available telecommunications services, in order to obtain information concerning the violation of data protection;
  • Information on recommended measures to mitigate the possible adverse consequences of a breach of personal data;
  • Information on the measures taken by providers of publicly available telecommunications services;
  • A description of the consequences of a breach of personal data;
  • A description of remedies offered by the provider of publicly available telecommunications services.

Register of data breaches

The telecommunications provider is required to keep a register of data breaches, describing the effect of each of the breaches and the measures that were implemented to prevent future breaches. The register should include at least the following data:

  • A description of the nature of the breach of personal data;
  • Information prescribed by providers of publicly available telecommunications services, measures to mitigate the possible adverse consequences of a breach of personal data;
  • Information on the measures taken by providers of publicly available telecommunications services;
  • Information about the fact of informing or not informing the subscriber or end-user being an individual about a personal data breach;
  • A description of the consequences of a breach of personal data;
  • A description of remedies offered by the provider of publicly available telecommunications services.

The data controller may hire a third party with keeping the register. In such a case, a data transfer agreement may be necessary between a data controller and a vendor.

Summary

The new rules on reporting data breaches are a new requirement under Polish data protection law. It is the first step to improving the protection of data subjects in case of breaches that have been occurring quite often in recent years. In the future, the rules should be applied to other sectors, not only to telecommunications.

Written By

Marcin Lewoszewski

0 Comments

If you want to comment on this post, you need to login.

Related

Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»