To whom/what authority should a personal data breach be reported?
According to the Article 33(1) GDPR the controller shall notify a breach to the competent supervisory authority without undue delay. In Republic of Poland the competent supervisory authority in matter of protection of personal data is the President of the Personal Data Protection Offfice.
In case where the breach concerns persons in various EU countries, the President of the Personal Data Protection Office can be, but does not have to be, the lead supervisory authority (i.e. the authority relevant for the controller or the processor). In case of cross-border data breach the controller shall analyse whether the lead supervisory authority with reference to processing activities covered by the breach is the President of the Personal Data Protection Office or perhaps other European supervisory authority.