Privacy Advisor

Poland’s New Rules on Notification of a Data Breach Take Effect in March

March 1, 2013


By Marcin Lewoszewski

Until recently, under the Polish legal framework it was not necessary to report a personal data breach to data subjects or the Polish Data Protection Authority (DPA). Cases of data breaches were analysed ad-hoc by the regulator by sending its officers to the data controllers’ seat—or any other entity—and verifying the security measures and internal procedures that were implemented.

The law was partially amended by the implementation of new rules by an act of 21 December 2012 on the change of the telecommunications law and other legal acts. Changes related to data breaches will enter into force by 22 March.

It should be noted that the rules described below in detail apply to entities providing telecommunications services in Poland in the meaning of the Polish telecommunications act.

What constitutes a breach?

The amended law provides a classification of possible breaches. According to the act on telecommunications law, a “breach” is the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data processed by a telecommunications provider. In other words, even the accidental destruction of personal data should be reported, according to the law.

The second category of a breach is “a breach that may have an adverse effect on the rights of the subscriber or end-user being an individual.” It is defined as a breach that “may, in particular, result in the unauthorised use of personal data, damage to property, violation of personal rights, violation of bank secrecy or other statutorily protected professional secrecy.” This definition is broad; i.e., the catalogue of cases where a breach may be considered “serious” is open.

A proper analysis of a breach and its right classification will result in a different procedure and requirements being applicable to a data controller.

Who is required to notify and who should be notified?

According to the amended law, an entity providing publicly available telecommunications services is required to notify a “breach of personal data.” This requirement is therefore true only for entities that offer services which mainly consist of the transmission of signals via a telecommunications network, in general.

The aforementioned breach should be notified within a timeframe specified in the law to the Polish DPA, which gained new powers under the amended law. The breach should be notified immediately, not later than three days after the breach is discovered.

In case of a “serious breach,” as described above, a telecommunications provider should notify each of the subscribers or end-users within three days of discovering such a breach. This notification is in addition to the notification to the DPA. This means that not only the DPA should be notified, but also each of the data subjects individually.

If the telecommunications provider implemented technical and organisational measures preventing access to data by unauthorised persons and applied them to the data that was subject to the breach, it is not necessary to notify the data subjects about the breach.

If the telecommunications provider fails to notify the data subjects about a breach, as described above, the Polish DPA may issue a decision imposing an obligation on such provider to provide data subjects with a proper notification, taking into consideration possible adverse effects of such a breach.

What should be included in the notification?

The mandatory elements of the notification are provided in the amended telecommunications law. However, the act provides only the minimum standard for the notification, as it may be broader than provided in the act.

If the notification is addressed only to the Polish DPA, it should include at least the following elements:

  • A description of the nature of the personal data breach and assumed risk of infringement;
  • Contact details of providers of publicly available telecommunications services, in order to obtain information concerning the violation of data protection;
  • Information on recommended measures to mitigate possible adverse consequences of a breach of personal data;
  • Information on the measures taken by providers of publicly available telecommunications services;
  • Information about the fact of informing or not informing the subscriber or end-user, being an individual, a personal data breach occurred;
  • A description of the consequences of a breach of personal data;
  • A description of remedies offered by the provider of publicly available telecommunications services.

The notification towards data subjects (subscribers or end-users) should include at least the following elements:

  • A description of the nature of the breach of personal data;
  • Contact details of providers of publicly available telecommunications services, in order to obtain information concerning the violation of data protection;
  • Information on recommended measures to mitigate the possible adverse consequences of a breach of personal data;
  • Information on the measures taken by providers of publicly available telecommunications services;
  • A description of the consequences of a breach of personal data;
  • A description of remedies offered by the provider of publicly available telecommunications services.

Register of data breaches

The telecommunications provider is required to keep a register of data breaches, describing the effect of each of the breaches and the measures that were implemented to prevent future breaches. The register should include at least the following data:

  • A description of the nature of the breach of personal data;
  • Information prescribed by providers of publicly available telecommunications services, measures to mitigate the possible adverse consequences of a breach of personal data;
  • Information on the measures taken by providers of publicly available telecommunications services;
  • Information about the fact of informing or not informing the subscriber or end-user being an individual about a personal data breach;
  • A description of the consequences of a breach of personal data;
  • A description of remedies offered by the provider of publicly available telecommunications services.

The data controller may hire a third party with keeping the register. In such a case, a data transfer agreement may be necessary between a data controller and a vendor.

Summary

The new rules on reporting data breaches are a new requirement under Polish data protection law. It is the first step to improving the protection of data subjects in case of breaches that have been occurring quite often in recent years. In the future, the rules should be applied to other sectors, not only to telecommunications.

Marcin Lewoszewski is an associate in the Commercial & Regulatory Department of CMS Cameron McKenna in Warsaw. He specialises in personal data protection and e-commerce issues in Poland.