GDPR and Data Protection expert and senior associate Bartosz Jankowski shares some important data protection information...
In February 2025, the Polish Personal Data Protection Office (PDPO) issued guidelines detailing the obligations of controllers concerning data protection breaches under the General Data Protection Regulation (GDPR). These guidelines are a significant development as they shed light on the PDPO's interpretation of critical aspects of data protection, offering a predictive framework for how the authority may assess controllers' actions in the event of a data breach.
Below are the five main takeaways from the PDPO guidelines:
(1) Definition and Scope of a Personal Data Security Breach
One of the key clarifications provided by the PDPO is its broad interpretation of what constitutes a personal data security breach. The guidelines explicitly state that a breach is not limited to incidents resulting in actual harm to data subjects but also includes situations where there is merely a risk of adverse consequences. This expansive view underscores the importance of vigilance, as even potential risks require attention and may necessitate remedial actions.
Moreover, the PDPO differentiates between a data protection breach and a GDPR violation, emphasising that the occurrence of a breach does not automatically imply non-compliance with the GDPR. This distinction is crucial for organisations to understand their reporting and remediation obligations without equating every incident with legal wrongdoing.
(2) Roles and Responsibilities in the Event of a Breach
The guidelines provide clarity on the roles and responsibilities of different entities involved in data protection breaches. A particular focus is given to the obligations of the data controller, who bears the primary responsibility for ensuring compliance under the principle of accountability. The PDPO highlights that, to demonstrate compliance with GDPR requirements, controllers must proactively remedy the consequences of the breach, assess the associated risks, and document and appropriately report the breach to the relevant entities.
Additionally, the guidelines reiterate the independent and supplementary role of the Data Protection Officer (DPO). While the DPO plays a critical advisory and monitoring role, their function remains independent of the controller's core responsibilities. This reinforces the principle that accountability rests with the organisation itself rather than being delegated to a DPO.
(3) Selection of Security Measures: A Contextual Approach
The PDPO underscores that security measures for identifying, responding to, and preventing personal data breaches should be tailored to the specific context of the organisation. Rather than prescribing a one-size-fits-all approach, the guidelines provide an extensive list of both organisational and technical measures that controllers can consider.
Examples of suggested security measures include:
- Implementation of data protection procedures, including security incident response processes, network traffic monitoring and analysis processes and organisational rules for employees and colleagues;
- Coordination of regular security audits, penetration tests, and verification of the implementation and effectiveness of applied measures;
- Use of secure means of authentication, such as multi-step authentication;
- Isolation of data processing and segmentation of IT systems and networks; and
- Use of data encryption mechanisms and remote wipe measures in case of loss.
By offering practical guidance, the PDPO encourages organizations to adopt a risk-based approach to security, ensuring measures are proportionate to their operational and data-processing environments.
(4) Risk Assessment and Classification of Data Breaches
A core aspect of the PDPO's guidance is the obligation for controllers to assess the level of risk associated with a personal data breach. The guidance calls for a clear distinction between cases where there is no risk, cases involving a moderate risk, and those where the risk is particularly high. This classification is crucial in determining the appropriate response, including whether notification to the supervisory authority or affected individuals is necessary.
The PDPO provides specific insights on how controllers can assess risk, including:
- Evaluation of the specific nature of the affected data, in particular whether the breach relates to sensitive data, a wide range of data or a large number of data subjects;
- Identification of the potential consequences for data subjects; and
- Assessment of whether the recipient of an unauthorised disclosure qualifies as a 'trusted recipient' who poses minimal risk.
This structured approach aids controllers in making informed decisions about their legal obligations and appropriate mitigation strategies.
(5) Documentation and Reporting Obligations
The final major takeaway concerns the documentation and reporting requirements for personal data breaches. The PDPO provides detailed instructions on the notification methods as well as the specific information that must be recorded and reported to supervisory authorities and, when necessary, to data subjects.
Key reporting elements include:
- Information on the controller and other parties involved in the incident;
- The circumstances of the incident, such as the timing and identification of the breach, the manner in which it was discovered, the causes identified, the nature and course of the breach, the type and extent of the affected data, the number and categories of data subjects;
- The actual and likely consequences of the breach;
- Measures taken or proposed to address the breach; and
- Justifications for cases where notification to individuals is deemed unnecessary.
By offering clear reporting guidelines, the PDPO enhances transparency and ensures that organisations remain accountable for their data protection practices.
Conclusion
The PDPO's new guidance offers critical insights into handling data breaches under the GDPR, emphasising accountability, risk assessment, and tailored security measures. Organisations operating in Poland and beyond should carefully study these recommendations to align their data protection practices with regulatory expectations. By proactively implementing the PDPO's guidance, controllers can better navigate data breach incidents while minimising legal and reputational risks. You can access the PDPO guidance in Polish here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
