UODO analyzes the notification of a personal data breach in NSJPP
The President of the Personal Data Protection Office received a notification regarding a breach of personal data protection from the National School of Judiciary and Public Prosecution in Krakow. The case is currently being analyzed and complemented for additional materials and information that will explain all its circumstances.
The controller informed the President that he had notified the data subjects of the breach by describing the nature of the personal data breach and indicating the scope of the disclosed data.
This data breach has also been notified to other entities such as the Police, the Incident Management Team in the Cybersecurity Office at the Ministry of Justice, the Computer Security Incident Response Team in the Research and Academic Computer Network (CSIRT/NASK) and the National Prosecutor's Office.
It is worth underlying that data breach should be notified to the President of the UODO, not later than 72 hours after having become aware of it. The President of the UODO should be notified of those data breaches where there is higher than small likelihood of adverse effects for the data subjects. These are, for example, situations in which a breach may lead to identity theft, financial loss or a breach of legally protected secrets. First of all, the purpose of notifying breaches to the President of the Personal Data Protection Office is, among others assessment by the supervisory authority whether the controller has correctly completed, among others the obligation to notify breaches to data subjects, provided that they actually have a duty to do so.
What to do if the data breach concerns my data?
Hacker attacks, i.e. breaking the security of IT systems in which personal data are processed or using existing loopholes in these systems are situations where unauthorized persons come into possession of personal data (or have such a possibility). You should then take appropriate action to limit any negative consequences.
First of all, you should be very careful when providing data via the Internet. You should carefully analyze messages from the controller which are contained e.g. in SMS messages, e-mails to avoid e.g. a phishing attack, the purpose of which may be obtaining additional data.
People who have fallen or suspect that they may have fallen victim of identity theft should first report this to the Police. The President of the UODO is not a law enforcement authority, he has no authority to conduct proceedings aimed at detecting the perpetrator of the crime and assessing whether it was committed, and to qualify the criminal act and impose an appropriate penalty.
Any person who considers that their personal data is being processed unlawfully may submit a complaint to the President of the Personal Data Protection Office. Moreover, Art. 79 of the GDPR also gives her or him the right, regardless of lodging a complaint to the President of the UODO, to protect his or her rights before a civil court. In accordance with Art. 82 of the GDPR, any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
Further UODO tips on reducing the risk of identity theft are available in Polish in the following materials: