Personal Data Breach Under GDPR — Notification Procedure, Obligations, and Fines

A leak of customer data, a lost laptop containing an employee database, a ransomware attack encrypting company servers, an email with personal data sent to the wrong recipient — these are just some examples of personal data breaches that organisations face every day. The GDPR imposes specific obligations on data controllers when a breach occurs, including the requirement to notify the supervisory authority within 72 hours.

This article provides a step-by-step guide on how to handle a personal data breach — from detection, through risk assessment and notification to the Polish Data Protection Authority (UODO), to informing the individuals whose data has been compromised. It also reviews the most significant fines imposed by UODO and European supervisory authorities for improper breach handling.

What Is a Personal Data Breach?

Under Article 4(12) of the GDPR, a personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

It is important to note that a breach does not have to result from a cyberattack. It can equally be caused by human error, a technical malfunction, or an inadequate internal procedure. The European Data Protection Board (EDPB) in its Guidelines 9/2022 distinguishes three categories of breaches:

Confidentiality breach — unauthorised or accidental disclosure of, or access to, personal data. Example: an employee sends a payroll spreadsheet to the wrong recipient; an unauthorised person gains access to a client database.

Integrity breach — unauthorised or accidental alteration of personal data. Example: a system error causes client records to be overwritten with incorrect values.

Availability breach — accidental or unauthorised loss of access to, or destruction of, personal data. Example: a ransomware attack encrypts a database and the company loses access; a fire destroys a server with no backup.

A single incident may involve multiple categories simultaneously.

72 Hours — The Obligation to Notify the Supervisory Authority

Article 33(1) of the GDPR requires that in the case of a personal data breach, the controller shall without undue delay — and, where feasible, not later than 72 hours after having become aware of it — notify the breach to the competent supervisory authority, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.

Key points regarding the 72-hour deadline:

When does the clock start? From the moment the controller becomes “aware” of the breach — meaning the controller has a reasonable degree of certainty that a security incident compromising personal data has occurred. A mere suspicion does not start the clock, but the controller should immediately take steps to investigate.

Is the 72-hour deadline absolute? No — the GDPR allows for delayed notification, but requires justification. If the notification is made after 72 hours, the controller must explain the reasons for the delay (Article 33(1) GDPR). In practice, UODO expects the delay to be genuinely justified — e.g., an ongoing law enforcement investigation.

Must every breach be notified? No. Notification is required when the breach is likely to result in a risk to the rights and freedoms of natural persons. If the risk is unlikely — e.g., a lost laptop that was fully encrypted with a strong algorithm — notification is not required. However, the controller must document this assessment.

How to Assess the Risk of a Breach — Step by Step

Risk assessment is the critical step that determines whether you need to notify UODO and whether you need to inform the affected individuals. The EDPB in Guidelines WP 250 (rev.01) recommends considering the following factors:

Type of breach — a confidentiality breach (data disclosed to unauthorised parties) is generally higher risk than an availability breach (temporary loss of access), especially if the data has reached malicious actors.

Nature and sensitivity of the data — the more sensitive the data, the higher the risk. Special categories of data (health, sexual orientation, biometric data), financial data (credit card numbers), and identification numbers (national ID, passport numbers) carry higher risk than, for example, an email address alone.

Identifiability of individuals — if the disclosed data allows direct identification of individuals (name, national ID number), the risk is higher than for anonymised or pseudonymised data.

Number of affected individuals — the more individuals affected, the higher the risk, although even a breach concerning a single person can be serious (e.g., disclosure of medical records).

Special characteristics of individuals — breaches involving children, patients, persons with disabilities, or other vulnerable groups carry higher risk.

Consequences for individuals — what harm could individuals suffer? Potential consequences include: identity theft, financial loss, discrimination, reputational damage, breach of professional secrecy.

Special characteristics of the controller — e.g., a hospital processing medical data is held to a stricter standard than an online shop with an email address database.

Based on these factors, the controller should assess whether the risk level is: no risk (no notification obligation), risk (notify UODO), or high risk (notify UODO and inform individuals).

How to Notify UODO — The Procedure

When the risk assessment indicates that notification is required, the controller should file a notification with UODO. The notification is submitted electronically.

The notification form is available on the UODO website (uodo.gov.pl). It can be filed via the ePUAP platform or through UODO’s interactive electronic form.

The notification must include (Article 33(3) GDPR):

A description of the nature of the breach, including where possible the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned.

The name and contact details of the Data Protection Officer (DPO) or other contact point from whom more information can be obtained.

A description of the likely consequences of the breach.

A description of the measures taken or proposed by the controller to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.

If you do not have all the information at the time of notification — do not wait. The GDPR allows for phased notification (Article 33(4)): submit an initial notification with the information you have and provide the remaining details without undue delay.

When Must You Inform the Affected Individuals?

Article 34 of the GDPR requires that individuals be notified when the breach is likely to result in a high risk to their rights and freedoms. The threshold is higher than for notification to UODO — not every breach reported to the supervisory authority also requires notification to individuals.

Notification to individuals is not required if (Article 34(3) GDPR):

The controller has implemented appropriate technical and organisational protection measures to the data affected by the breach — in particular measures that render the data unintelligible to unauthorised persons (e.g., encryption).

The controller has taken subsequent measures which ensure that the high risk is no longer likely to materialise.

It would involve disproportionate effort — in which case a public communication or similar measure may be used instead.

The notification should be written in clear and plain language (not legal jargon) and must include at minimum: a description of the breach, the DPO’s contact details, a description of likely consequences, and a description of measures taken.

Breach Documentation — The Obligation Many Forget

Article 33(5) of the GDPR requires the controller to document all personal data breaches — regardless of whether the breach requires notification to UODO or not. The documentation must cover the facts relating to the breach, its effects, and the remedial action taken.

In practice, this means maintaining an internal breach register, which should include for each incident: the date and time the breach was detected, a description of the event, categories of data and individuals affected, risk assessment, the decision to notify (or not, with justification), remedial actions taken, and the date of notification to UODO (if applicable).

This register is one of the first documents UODO requests during an inspection.

How to Prepare Your Organisation — Incident Response Plan

Data breaches are inevitable — the question is not “if” but “when.” Every organisation should therefore have an Incident Response Plan in place that defines:

Who is responsible — clearly defined roles (DPO, IT department, management, legal team, communications). Who makes decisions? Who contacts UODO? Who notifies affected individuals?

How to detect breaches — technical mechanisms (SIEM systems, network monitoring, security alerts) and organisational measures (staff training, incident reporting procedures).

How to assess breaches — a ready-made risk assessment template, a decision matrix (notify / do not notify / inform individuals).

How to respond — technical steps (isolate the threat, preserve evidence, restore systems) and legal steps (notify UODO, inform individuals, report to law enforcement if applicable).

How to document — breach register template, UODO notification template, individual notification template.

How to learn — post-incident analysis (lessons learned), update security measures, additional training.

Regularly testing this procedure (e.g., through incident simulations) is just as important as having it in place.

Fines for Improper Breach Handling

UODO and European supervisory authorities impose fines not only for allowing a breach to occur but also (and sometimes primarily) for improper response to a breach. The most common violations include:

Failure to notify the supervisory authority — not filing a notification within 72 hours or failing to notify entirely. UODO has fined Polish entities for failing to report breaches, even when the breach itself was relatively minor.

Failure to notify individuals — not informing individuals whose data was compromised despite the breach posing a high risk to their rights.

Lack of documentation — not maintaining a breach register or failing to document the risk assessment.

Insufficient security measures — lack of encryption, weak passwords, no backups, no staff training.

Fines can reach up to EUR 10 million or 2% of annual global turnover (for violations of controller obligations, including notification duties) or up to EUR 20 million / 4% of turnover (for violations of fundamental processing principles). In practice, fines in Poland have ranged from several thousand to several million PLN.

Practical Checklist — What to Do When a Breach Occurs

  1. Identify the breach — confirm that a security incident involving personal data has occurred.
  2. Contain the situation — stop further leakage or loss of data (e.g., block a compromised account, disconnect an infected server).
  3. Notify the DPO — if you have a designated Data Protection Officer, inform them immediately.
  4. Assess the risk — using a risk assessment matrix, determine whether the breach requires notification to UODO and/or notification to individuals.
  5. Notify UODO (if required) — within 72 hours of becoming aware of the breach, using the form on the UODO website.
  6. Inform individuals (if high risk) — in clear and plain language, describing the breach and the measures taken.
  7. Document everything — record the circumstances, timeline, decisions, and actions in the breach register.
  8. Learn from the incident — analyse the root cause and implement additional safeguards to prevent similar breaches in the future.

Need Help With a Data Breach?

Time is critical — 72 hours pass quickly. At the Law Office of Joanna Maniszewska-Ejsmont, we assist companies at every stage of breach response: from risk assessment, through preparing the UODO notification, to informing affected individuals and implementing remedial measures. We also serve as an external DPO, providing ongoing support in incident management.

Contact us — we will guide you through the process step by step.