What kind of the personal data breach shall be notified to the President of the PDPO?
In the case of a personal data breach detection, the controller in the first place shall assess whether it may result in a risk to the rights and freedoms of individuals. If the assessment will transpire that the breach is unlikely to result in a risk to individuals’ rights and freedoms, notifying the supervisory authority is not required. It shall be remembered though, that if a breach is not notified, the supervisory authority may require reasoning for the decision, therefore a justification for that decision should be documented in the records of breaches.
This risk for the individuals’ rights and freedoms exists when the breach may lead to physical, material or non-material damage for the individuals whose data have been breached. Examples of such damage are discrimination, identity theft or fraud, financial loss or fraud, unauthorised reversal of pseudonymisation, loss of confidentiality of personal data protected by professional secrecy, damage to the reputation, or any other significant economic or social disadvantage for the data subject. When the breach involves personal data that reveals racial or ethnic origin, political opinion, religion or philosophical beliefs, or trade union membership, or includes genetic data, data concerning health or data concerning sex life, such damage should be considered likely to occur.
More information regarding risk assessment can be found in the two-part guide of the President of the Personal Data Protection Office, answering questions: How to understand the risk-based approach under the GDPR? (more in Polish) and How to apply the risk-based approach? (more in Polish)