Notification of data breaches by telecommunications service providers
Telecommunications companies are one of the subjects which – in the event of establishing that a personal data breach has occurred – are obliged to notify this fact to the President of the Personal Data Protection Office (UODO) and – in certain instances – the data subjects themselves. Below we explain when it is necessary and how to do it.
Within the legal framework of:
- the EU General Data Protection Regulation (GDPR),
- the Commission Regulation (EU) No. 611/2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications, hereinafter referred to as the “Commission Regulation (EU) No. 611/2013”,
- the Act of 16 July 2004 the Telecommunications Law,
the providers of the publicly available telecommunications services are not only obliged to protect personal data of persons using their services, but also – in the event of establishing a personal data breach – are obliged to notify the national supervisory authority of this fact, in Poland: the President of the UODO. Additionally in some instances it is also necessary to communicate the breach to the subscriber or end-user whose data were breached.
The overriding objective of every data breach notification to the supervisory authority is the protection of the rights and freedoms of natural persons. The crucial imperative in this instance is the controller’s response time, i.e. a prompt notification of the breach to the supervisory authority and – if it is necessary – communicating the breach to data subjects.
Below you will find featured useful guidance pertaining to the obligation of notifying data breach in the telecommunications sector.
What is to be meant by personal data breach?
Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the Union.
Who and within what timeframe should notify the President of UODO on the personal data breach?
This obligation was imposed on the providers of publicly available electronic communications services. The provider shall notify the personal data breach to the competent national authority without delay, no later than 24 hours after the detection of the personal data breach, where feasible. This time limit results from the Art. 2(2) of the Commission Regulation (EU) No. 611/2013. Because it is shorter than the one outlined in the GDPR, the telecommunications service providers should be making every effort to provide all the information required by law within 24, not 72 hours.
How to notify the President of UODO of data breach?
Data breach should be notified electronically be completing a dedicated electronic form available at UODO’s website: https://uodo.gov.pl/en/573/935. The form contains all the information required as referred to in the Art. 2(2) the Commission Regulation (EU) No. 611/2013.
Within what timeframe and for what purpose it is required to communicate the breach to data subjects?
Under the Commission Regulation (EU) No. 611/2013 when the personal data breach is likely to adversely affect the personal data or privacy of a subscriber or individual, the provider shall, in addition to the notification to the President of UODO, also notify the subscriber or individual of the breach. The notification to the subscriber or individual shall be made without undue delay after the detection of the personal data breach by the controller.
What should be the content of the notification to the subscriber?
According to the Art. 3(4) of the Commission Regulation (EU) No. 611/2013 the notification that the provider issues to the subscriber or individual should contain information such as:
- Name of the provider;
- Identity and contact details of the data protection officer or other contact point where more information can be obtained;
- Summary of the incident that caused the personal data breach;
- Estimated date of the incident;
- Nature and content of the personal data concerned as referred to in Article 3(2);
- Likely consequences of the personal data breach for the subscriber or individual concerned as referred to in Article 3(2);
- Circumstances of the personal data breach as referred to in Article 3(2);
- Measures taken by the provider to address the personal data breach;
- Measures recommended by the provider to mitigate possible adverse effects.
When there is no obligation to notify the data subjects on the data breach?
The notification of the subscriber or end user who is a natural person shall not be required, if the provider of publicly available telecommunications services has implemented appropriate technical and organisational protection measures provided for in the personal data protection law, which prevent the reading of data by unauthorised persons, and has applied those measures to datathe protection of which has been breached (under Art. 174a(5) of the Telecommunications Law).
What if the controller failed to notify the subscriber of the data breach?
If the provider of publicly available telecommunications services failed to notify a subscriber or an end user who is a natural person of a personal data breach, the President of UODO may impose on the provider, by means of a decision, the obligation to notify subscribers or end users who are natural persons of that breach, taking into account potential adverse effect thereof.
Are telecommunications service providers required to maintain a register of personal data breaches?
Providers of publicly available telecommunications services shall maintain a register of personal data breaches comprising the facts surrounding the breach, its effects and the remedial action taken. The inventory shall include the following:
- description of the nature of a personal data breach;
- information about recommended measures intended to mitigate potential adverse effects of a personal data breach;
- information about the measures undertaken by a provider of publicly available telecommunications services;
- information whether a subscriber has been informed or not of a personal data breach;
- description of effects of a personal data breach;
- description of remedies proposed by the provider of publicly available telecommunications services.