In previous months, the President of the Personal Data Protection Office (UODO) published updated guidelines regarding personal data breaches. Publication of this document sparked the debate among data protection experts, who became particularly interested in problem of notification obligation. Inspired by this discussion we, as the gdpr.pl portal, had decided to enquire data protection authorities (DPA) from several countries about their viewpoints on the matter of personal data breaches. We received replies to our questions from nine DPAs. These are the following DPAs (in alphabetical order): Albanian, Belgian, Bulgarian, Estonian, Finnish, Lithuanian, Maltese[1], Slovakian and Slovenian. We are deeply grateful for all answers received. The results of our research are presented below.
What did we ask about?
Our questions were related to the following subjects:
- What is the purpose of notifying the personal data breaches to the supervisory authority? What do we want to achieve through this regulation? What purpose does (is) it serve?
- When is it possible to say that an breach has been “confirmed” and from when does the 72 hour period for reporting an infringement start to run?
- Is there a level of risk at which there is no obligation to notify personal data breaches? If so, how should it be determined?
- Are there violations (categories) where we can assume a priori that they do not need to be reported?
- What is (should be) the role of the DPO in the breach response process?
We also had asked DPAs about number of data breaches notified between 2022 and 2024. We believe that statistical data can provide objective picture of scale of data breaches. Therefore we shall begin our article with brief analysis of these data.
Statistics
According to reports published by the President of the UODO, Polish DPA received 12 772 breach notifications in 2022, and 14 069 in 2023. Report for 2024 have not been published yet. This compares with the following in other countries.
| Year/country | Finland | Malta | Estonia | Bulgaria | Slovenia | Slovakia | Lithuania | Belgium | Poland |
| 2022 | 5446 | 59 | 153 | 80 | 86 | 120 | 304 | 1426 | 12 772 |
| 2023 | 6894 | 67 | 196 | 51 | 183 | 185 | 254 | 1080 | 14 069 |
| 2024 | 7152 | 105 | 184 | 73 | 160 | 122 | 273 | -/- | 14 842 |
As can be seen, in absolute numbers, Poland clearly dominates the countries presented in the table. However, the population of Poland is greater than population of other above mentioned countries taken together. If country’s population is taken into account, polish DPA received 33,96 data breach notifications per 100 000 inhabitants in 2022 and 37,52 in 2023.
| Year/country | Finland | Malta | Estonia | Bulgaria | Slovenia | Slovakia | Lithuania | Belgium | Poland |
| 2022 | 97,25 | 13,11 | 11,76 | 1,25 | 4,09 | 2,21 | 10,13 | 12,08 | 33,80 |
| 2023 | 123,11 | 14,88 | 15,08 | 0,79 | 8,7 | 3,4 | 8,46 | 9,15 | 37,38 |
| 2024 | 127,71 | 23,33 | 14,15 | 1,14 | 7,62 | 2,24 | 9,1 | -/- | 39,58 |
These data shows that even considering population size, the number of notifications received by the President of the UODO is very high. Among the countries presented, only Finland is ahead of Poland in this respect significantly.
What is the purpose of data breach notification?
According to the guidelines of the President of the UODO, „the purpose of notification is to mitigate potential harm for data subjects”. This practical and concise standpoint emphasizes the issue of the interests of data subjects affected by the breach potentially. What are the viewpoints of other DPAs?
The Bulgarian DPA’s viewpoint is quite similar. According to the answer, data breach notification is necessary „in order to take sufficiently effective measures to protect personal data”. Similarly to Polish DPA, Bulgarian DPA is concerned mostly on handling personal data breaches and managing their consequences.
The Slovenian DPA claims that the purpose of notifications is not limited to protection of data subjects’ rights and freedoms, but also includes ensuring transparency and accountability. According to Slovenian DPA, therefore this obligation not only helps to mitigate harm for data subjects, but also is necessary to verify correctness of controller’s actions. Answers of the Belgian DPA are similar: DPA states, that the protection of individuals right is achieved „especially by strengthening the transparency”. The Estonian DPA provides even wider view to the notifications purposes. According to the DPA, the purpose of the notification is to „investigate the data breach, decide what measures need to be taken regarding supervisory proceedings and to react as soon as possible to protect the rights and freedoms of data subjects”. The Slovakian DPA indicated that breach notification serves to strengthen compliance with data protection legislation. By notifying breaches – according to the Slovak DPA – the controller can receive guidance from the supervisory authority, including on the need to inform data subjects of the data breach. Due to this, the controller will be able to explain to data subjects the risks of the data breach and inform how data subjects can protect themselves from possible harm. Most complex answer was provided by the Lithuanian DPA, who pointed out that the obligation to notify data breaches serves both to ensure transparency, accountability and increase trust in the organisation, as well as to minimise damage and enable the DPAs to carry out their tasks effectively. It also indicated that controllers who report their data breaches can receive guidance on how to minimize potential harm to data subjects. The obligation to report breaches, according to the DPA, also forces controllers to take personal data protection seriously and manage the risks in this regard responsibly.
At what point is a breach confirmed ?
According to the guidelines of the President of the UODO, controller becomes aware of the data breach (thus, 72 hour time limit for notification is starting to run), when he becomes aware that a personal data security breach has occurred, i.e. becomes aware that the incident is a security incident (1), involves personal data (2), and may lead to destruction, loss, modification, unauthorised disclosure or access to data (3). An almost identical position is taken by the Belgian DPA authority, who also equating the establishment of a data breach with the controller becoming aware of it. Close to this position is also the Estonian DPA according to which a data breach is established when the Controller ‘is certain that a breach has occurred which has led to the disclosure of data’.
According to the Slovakian DPA, a controller can be considered to be aware of a data breach when it has a reasonable degree of certainty that a security incident has occurred and has led to a data breach.
Another very interesting position was presented by the Bulgarian DPA, who indicating that an infringement is established when ‘the controller has found or obtained evidence of unauthorised access to the processed data’. The Bulgarian authority’s position is the only one in which the issue of ‘evidence of a breach’ appears.
According to the Maltese DPA, the starting point is ‘a reasonable level of certainty that a violation has occurred’. In the light of this wording, it can be considered that the Maltese authority does not require 100% certain awareness of the infringement, only a prima facie case up to , ‘a reasonable level of certainty’ is sufficient.
When a data breach notification can be waived?
It is worth noting that almost all authorities that responded indicated that there is no catalogue of categories of breaches that can be assumed to present a low risk. The Lithuanian DPA partially presented otherwise. It indicated a number of types of breaches that do not require to notify, e.g. sending an email that does not contain special category of data to an inappropriate, but trusted recipient who can confirm its deletion (a practical example of such a situation given by the DPA, was sending such an email to an inappropriate employee within one company). An interesting approach is also being taken by the Albanian DPA, which claims that such catalogue has not been established but could be established in future based on the practice of applying the legislation develops.
One of the most controversial positions presented in the guidelines of the President of the UODO is the view that data breach notification is not mandatory only if data breach creates no risk to rights and freedoms of data subjects. Polish DPA interpreting the phrase “is unlikely to result in a risk to the rights and freedoms of natural persons”, appearing in the GDPR, in a restrictive manner.
[1] Considering the Maltese DPA request to quote its answer in its entirety, we attach entire, original version of IDPC’s answer below the article.
PLEASE NOTE: The President of the UODO does not equate the exception to the breach notification obligation solely with the ‘absence of risk’. The DPA pointed out that this kind of simplification, although functioning in many studies of supervisory authorities (e.g. Finnish or French), does not fully reflect the complexity of the issue – for more please see the comment on the article that we received from the Polish DPA.
A similar position in some way is expressed by the Estonian DPA, which indicated as an example of a non-notifiable breach a case when ‘data that is completely unreadable to unauthorised third parties where the controller has a copy of the data’, which is identical to the example indicated in the guidelines of President of the UODO.
Slovenian and Albanian DPAs agrees that notification is not mandatory if “the breach is unlikely to result in any risk of prejudice to the rights or freedoms of natural persons”, which is literal quote the article 33 of GDPR. Albanian DPA, however, encourages to notify data breaches.
An interesting position was also presented by the Slovakian DPA. It pointed out, among others, that the obligation to report every data breach, regardless of its severity, could lead to an overburden of supervisory authorities, making it difficult for DPAs to focus on serious security incidents. The controller, however, is obliged to document its decision adequately, based on a risk assessment.
It appears that the Lithuanian DPA presented the most liberal and divergent position from that presented by Polish DPA, explicitly stating that a low risk is sufficient grounds to waive notification.
What DPAs think about DPO’s role?
We enquired three questions regarding DPO’s role in handling the data breaches:
- Which obligations concerning handling personal data breach can be fulfilled by the DPO?
- How should the DPO cooperate with the controller in case of personal data breach?
- How the DPO should support the controller in handling the personal data breach to avoid risk of the potential conflict of interest?
At this point, it is worth recalling the Polish DPA 's position on that subject expressed in the Guidelines. The President of the UODO lists a broad catalogue of activities that the DPO should not perform, which include, among others, notifying and documenting violations. The President of the UODO takes as a starting point that DPO cannot perform tasks that are the sole responsibility of controllers or processors. The DPO’s performance of the controller’s tasks, or acting as the controller’s proxy, interferes with the DPO’s independence and may create a conflict of interest. It appears that the President of the UODO is supporter of narrowing the DPO’s role to advisory and training activities only. Other DPAs adopt more liberal positions.
PLEASE NOTE: The President of the UODO does not exclude the possibility of the DPO’s participation in the process of handling data protection breaches, as long as the special legal status of the DPO, as set out in Articles 38 and 39 of the GDPR, is respected – see more in the comment on the article that we received from the Polish DPA.
The Albanian and Slovenian DPAs both agree that the DPO can perform activities related to the data breach risk assessment and keeping records of breaches. The Slovenian DPA even allows the participation of the DPO in notifying the breach. Similar is the approach of the Lithuanian authority, according to which it is entirely acceptable and even desirable to involve the DPO in developing the content of a breach notification to the authority or a communication to data subjects.
Whereas, the Slovakian DPA indicated that the DPO should support the controller in handling with data breaches, including by assisting in assessing whether a data breach should be notified to the DPA, as well as what information should be included in such notification. The DPA also indicated that the DPO should support the controller in establishing procedures for handling data breaches, and may also assist the controller in maintaining internal documentation related to data breaches.
More similar to the position of the President of the UODO is the position of the Estonian DPA, which indicates that the DPO should primarily advise the controller, verify the compliance of the processing with the GDPR and serve as a contact point for the DPA.
On the issue of potential conflicts of interest, the DPAs mainly focused on the problem of DPOs performing other functions within their organisations. The Estonian DPA noted that this problem clearly arises when the functions of the DPO are combined with top management functions within the organisation (the DPA pointed to the position of the CEO as an example). An opposing perspective was provided by the Bulgarian DPA. It focused on the conflict of interest arising from hierarchical subordination. It pointed out that the DPO should not be given instructions and orders regarding his/her duties, nor should be punished for performing them. An interesting approach was presented by the Albanian DPA. It pointed out that a conflict of interest is created by performing another role in the organisation if the performance of that role may influence to decisions taken as DPO in a way that may harm the rights of data subjects.
Conclusions
The responses sent by the DPAs show that there are different interpretations of data protection legislation in Europe, including in particular the GDPR. The President of the UODO, however, is not isolated in his positions and finds support from his foreign counterparts on many issues (the Estonian DPA appears to have particularly close views). In contrast, by far the most flexible and liberal viewpoints are those received from the Lithuanian DPA. We can and should derived from all these responses in our day-to-day practice, developing a kind of the ‘golden mean’, which we hope this publication will help in. Finally, it should be clear that the responses that we received indicate that all authorities place a very high value on notifying the data breaches and consider it as a challenging task both for controllers and DPAs.
PLEASE NOTE: Prior to the publication of this article, we asked the President of the UODO for comment. Below we publish the full text of the response that we received from the Polish supervisory authority.
The Polish supervisory authority comment (unofficial translation)
One of the main purpose of the GDPR is to ensure that the provisions of the regulation are applied consistently and uniformly across the European Union. the President of the Personal Data Protection Office (UODO) is actively working towards this goal and handling notified data breaches based on both the EDPB guidelines and the CJEU jurisprudence, as well as observing the course of action of other supervisory authorities.
The new guidelines of the President of the UODO is an example of such activities. The positions it contains have been developed as a result of thorough analyses, taking into account the rich acquis of other supervisory authorities. However, it is worth emphasising that, by its very nature, the guidelines is of a general nature and constitutes educational material, presented in a concise and comprehensible manner for the average recipient. Meanwhile, in the discussed material, the position of the President of the UODO – as the only one – was reconstructed exclusively on the basis of selected excerpts from the guidelines, and not as in the case of other supervisory authorities on the basis of detailed, exhaustive answers to precisely formulated questions.
Some of the wording used in the article does not reflect the position of the authority. In particular, the question of the ‘level of risk at which there is no obligation to notify breaches’ (as well as the concept of ‘low risk’) appears to miss the actual content of the GDPR regulation. Indeed, the regulation does not provide – with the exception of ‘high’ risk – any gradation of risk levels, linking the existence of the notification obligation only to the level of likelihood of a threat to the rights or freedoms of natural persons. Moreover, contrary to the assertions in the article, the President of the UODO does not equate the exception to the notification obligation with the ‘absence of risk’ only. This kind of simplification, although operating in many studies of supervisory authorities (e.g. Finnish or French), does not fully capture the complexity of the issue.
The suggestion that the President of the UODO excludes the possibility of the DPO’s participation in the process of handling data breaches is also not confirmed. On the contrary – as has been pointed out on many occasions – this is possible as long as the specific legal status of the DPO, as set out in Articles 38 and 39 of the GDPR, remains respected.
The number of data breach notified to the UODO in 2024 was 14 842.
THE FULL RESPONSE OF THE MALTESE SUPERVISORY AUTHORITY
In relation to the handling of personal data breaches, the Information and Data Protection Commissioner (IDPC) of Malta follows the European Data Protection Board (the EDPB) guidelines, in particular, Guidelines 9/2022 on personal data breach notification under GDPR, adopted 28 March 2023 and Guidelines 01/2021 on examples regarding data breach notification, adopted on 14 January 2021.
The latter guidelines provide practice-oriented use cases which were developed through the experiences gained by supervisory authorities since the GDPR came into force. These guidelines assist controllers in deciding how to handle data breaches and, specifically, what factors to consider during the related risk assessment, to decide whether the breach is likely to result in a risk for the right and freedoms of the affected individuals, and whether the incident should be notified to the supervisory authority and communicated to the affected data subjects.
The GDPR establishes that controllers shall notify the supervisory authority when they become aware of a breach that is likely to result in a risk to the rights and freedoms of the data subject.
Controllers must submit their notification ‘without undue delay’, or ‘as soon as possible’ and, where feasible, not later than 72 hours from when the controller became aware of the breach.
Having said that, when, exactly, a controller can be considered to be “aware” may depend on the circumstances of the specific breach. In some cases, it will be relatively clear from the outset that there has been a breach, whereas in others, it may take some time to establish if personal data have been compromised and/or the rights and freedoms of individuals are at risk.
The IDPC provides to controllers an online form to submit personal data breaches. In this form, controllers have the possibility to choose between filing a preliminary notification and to provide the missing information in a complete notification within 10 working days from the date of the preliminary one.
When the controller’s investigation to determine if a breach is a notifiable breach, takes longer than 72 hours, the IDPC always suggests controllers to submit a preliminary notification so that the principle of the “prompt action” is met. In the event, at the end of the investigation, the controller establishes that no personal data has been compromised, the controller can withdraw the preliminary notification, and no further action will be taken by the IDPC.
Controllers should have in place an incident response plan as part of their accountability obligations.
The Data Protection Officer is among those who needs to assist the controller in the event a personal data breach occurs.
The IDPC has received 59 breach notifications in 2022, 67 in 2023, and 105 in 2024.
