Notification of violations and supervisory authority - protection of personal data


A supervisory authority is at least one public authority that protects the rights of individuals with regard to the processing of personal data. Currently, the body supervising the protection of personal data is GIODO. There may be more than one supervisory authority in a country. The reporting of violations is also subject to supervisory authorities.

This body is to act independently. He will not be able to start a business. The appointment will follow a transparent procedure so that the elected is neutral. Candidate for this office may be a person with appropriate skills, qualifications in the field of personal data protection and experience. The rules for establishing the supervisory authority are set out directly in the GDPR regulation. The so-called the lead supervisory authority will support more established authorities. The purpose of their establishment will be the effective cooperation of Member States, and this is to contribute directly to increasing the security of personal data protection in the EU.

Supervisory authorities in each EU country will have the same tasks and powers.


By May 25, 2018, Poland will have to notify the EU authorities of the adopted changes to the law and - like every Member State - establish a supervisory authority.

Powers of the supervisory authority

Examples of competences of the supervisory authority in relation to the protection of data processing by the entrepreneur will include:

  • conducting explanatory proceedings
  • conducting remedial proceedings
  • cooperation with other supervisory authorities of the Member States
  • imposing penalties
  • granting permits (including contractual clauses) and recommendations
  • adopting standard clauses
  • keeping lists of infringement impact assessments
  • encouraging the development of codes of conduct
  • encouraging the establishment of certification mechanisms
  • publishing accreditation criteria for codes of conduct
  • approving binding corporate rules
  • taking part in the work of the European Data Protection Board
  • keeping internal registers of violations
  • consulting
  • providing prior consultation
  • monitoring compliance with the implemented code of conduct
  • consulting
  • reporting violations to the judicial authorities
  • introducing a temporary or permanent limitation of data processing
  • enforcing the provisions of the EU regulation on the protection of personal data
  • disseminating knowledge in society
  • receiving complaints
  • provision of records from controllers and data processors.

Member States (authorities) will be able to define additional competences of the supervisory authority, in line with EU law and internal (national) law, not in conflict with the Regulation. However, they should not go beyond a certain procedural framework. Member States will be required to ensure compliance with this regulation. After the above-mentioned competences, you can apply for new obligations and responsibilities of the entrepreneur who is the data processor in his company towards the state and the EU. The obligations of entrepreneurs will include the application of good practices, minimizing the occurrence of incidents on personal data, creating documentation of activities with personal data, creating lists of entrustments, preparing sets of collections, informing data subjects, concluding contracts for entrusting personal data processing, reasonable marketing, pseudonymization and encryption of data and their proper protection, if they are in paper form.

The supervisory authority will enforce and apply the provisions of the GDPR. Therefore, it is important to be well prepared for the upcoming changes.

Obligations related to the processing of personal data

When creating a data protection impact assessment, which will be their new obligation, entrepreneurs will also be obliged to consult its result with the supervisory authority, especially when they do not have the appropriate technical data security capabilities in their company. In addition, consultations with the supervisory authority should be helpful for personal data controllers, e.g. in the preparation of an act in the form of a code of conduct, which is recommended in the GDPR Regulation to every company processing personal data.

Risk assessment of personal data processing

The security of data processing should take into account the current state of technical knowledge. The level of security should be appropriate to the scale of risk in the processing of personal data.

The security of personal data processing can be guaranteed by:

  • pseudonymization - that is, encryption of personal data

  • constant assurance of confidentiality, integrity and resilience of data processing systems

  • the ability to quickly restore access to data in the event of incidents

  • regular testing and evaluation of technical safety measures.

Therefore, it is so important to provide appropriate technical facilities and people with appropriate competences in your company. It seems necessary to train all employees, even those indirectly processing personal data in the company.

Example 1.

If accounting office employees print documents containing personal data of the company's clients, they should not leave them in the printer for a long time, as this could result in access to personal data by unauthorized persons.

It is very important to assess the risks associated with the processing of personal data. It will be able to be consulted with the enforcement authority described above, so it is worth being prepared for cooperation and avoiding:

  • accidental and unlawful destruction of personal data

  • loss of personal data

  • data modification on your own initiative

  • unauthorized disclosure of personal data to another person

  • unauthorized access of other people to the data

  • improper storage of personal data.

It may be helpful to develop an approach to personal data. The regulation proposes the creation of appropriate codes of conduct and action mechanisms, thus obliging supervisory authorities to control them.

Notification of personal data breaches

However, the key to proper data processing is the obligation to report any breaches. It will apply to both data controllers and data processors, even if they have not caused any negative consequences for the data subject.

In the event of a breach of personal data protection, this fact will be reported to the supervisory authority. However, it will not require notification if the risk of violation of rights and freedoms is unlikely.

However, if the risk is significant, it will have to be reported to the supervisory authority within 72 hours, and after that period, it will also be required to provide relevant explanations and reasons for the delay in reporting. It is of an evidence nature, the documentation will allow the supervisory body to decide whether the rules for the security of personal data have been implemented and whether it will be appropriate to impose a penalty - and the penalties will be significant!

Notification of a breach to the supervisory authority should include:

  • description of the breach, categories and number of data subjects

  • data of the data protection officer.

The next step is to notify the data subjects of such a breach. They are notified when the risk of violating the rights and freedoms of natural persons is high. This is done by the personal data administrator. The notification of the data subject's incident must contain the same elements as when it is reported to the supervisory authority, but without describing the nature of the breach and identifying other, other persons affected by the breach.

There is no need to notify a person when:

  • the administrator has previously used data encryption measures (pseudonymisation),

  • eliminated the likelihood of a high risk of a breach (made an assessment),

  • would make a disproportionate effort to individually inform each person affected by the violation (then he issues a public announcement).