Not every interruption of data access constitutes a breach

In the context of the global cloud services outage revealed today, we would like to remind you that not every outage constitutes a data protection breach. Outages such as today's cause great confusion and trouble in many industries, including strategic ones such as transport and healthcare. Deputy Prime Minister, Minister of Digital Affairs Krzysztof Gawkowski said that outages related to the interruption of access to cloud services have been reported, but do not involve critical infrastructure.

The interruption of access to cloud services and the resulting lack of access to data, in certain situations, may result in a violation of persons' rights and freedoms. However, not every such violation requires notification to the President of the Personal Data Protection Office. The controller should, in each case, conduct a risk analysis and, if such a breach resulting in a risk of infringement of persons' rights or freedoms occurs, report such an incident to the supervisory authority. It is worth emphasising that the risk will occur in a situation where it is likely to affect the rights or freedoms of an individual, e.g. a direct threat to health or life.

This outage confirms, a fact derived from the GDPR standards, that inventorying resources in organisations is very important. It is also important to assess risks in terms of access to data and the impact of a possible outage on the protection of data subjects.