A breach of personal data security means a violation leading to a destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Data controllers who encounter data security breaches shall not only take action to eliminate them but shall also inform the supervisory authority – the State Data Protection Inspectorate. The data controller shall also document any personal data security breaches, including the facts relating to the personal data breach, its effects and the remedial action taken.

In the case of a personal data breach, the data controller shall without undue delay and not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. The data processor shall immediately notify each data security breach to the data controller. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the data controller shall immediately communicate the personal data breach to the data subject so that the latter could take the actions necessary to prevent it.

In order to help understand the obligations of companies, institutions and organisations that process personal data as well as of other persons when they encounter breaches of personal data security, the State Data Protection Inspectorate has drawn up the recommendation of 2 July 2018 “On the Procedure of Detection, Investigation of, Reporting and Documenting of Personal Data Security Breaches”.

The recommendation is available here: