Selgitustaotlus
| Dokumendiregister | Andmekaitse Inspektsioon |
| Viit | 2.2-9/25/794-1 |
| Registreeritud | 12.03.2025 |
| Sünkroonitud | 13.03.2025 |
| Liik | Sissetulev kiri |
| Funktsioon | 2.2 Loa- ja teavitamismenetlused |
| Sari | 2.2-9 Selgitustaotlused |
| Toimik | 2.2-9/2025 |
| Juurdepääsupiirang | Avalik |
| Juurdepääsupiirang | |
| Adressaat | Redakcja portalu GDPR |
| Saabumis/saatmisviis | Redakcja portalu GDPR |
| Vastutaja | Pille Lehis (Andmekaitse Inspektsioon) |
| Originaal | Ava uues aknas |
Failid
Tähelepanu! Tegemist on välisvõrgust saabunud kirjaga. |
Dear Sir or Madam,
As the portal GDPR.PL we kindly ask you for presenting your opinion and foregoing experiences regarding the handling personal data breaches and the role of a Data Protection Officer in handling thereof in the light of the potential conflict of interests. The GDPR.PL is the oldest and the largest portal dedicated to personal data protection in Poland. Our mission is to provide reliable information to citizens, entrepreneurs and public entities. Thus, we would like to learn the positions on this topic of supervisory authorities from across the EU and prepare the article / the report comparing opinions of supervisory authorities on the personal data breaches and DPO’s independency in the context of handling personal data breaches.
Given the above, we will be grateful if you could answer the following questions:
1. What is the purpose – in the light of the GDPR - of notifying the personal data breaches to the supervisory authority? What did the legislator want to achieve through this obligation?
2. Which moment do you consider as “having become aware of the personal data breach”. In the opinion of your supervisory authority from which point in time the 72-hour time limit to notify the supervisory authority starts to run?
3. Should the controller notify to the supervisory authority each personal data breach regardless of the identified level of risk or can it refrain from notifying in case that the assessed risk is at low level?
4. Are there any personal data breaches which in view of your supervisory authority should not to be notified to the supervisory authority considering their commonness or specificity - e.g. sending mistakenly an e-mail to the wrong addressee?
5. How many personal data breaches have been notified to your supervisory authority in the years 2022, 2023 and 2024?
6. Which obligations arising from the GDPR concerning handling personal data breach can be fulfilled by the DPO, in particular whether the DPO can assess the personal data breach, notify the breach to the SA, communicate the breach to the data subjects or document the breach internally?
7. How should the DPO cooperate with the controller in case of personal data breach? What should be the scope of the DPO assistance?
8. How the DPO should support the controller in handling the personal data breach to avoid risk of the potential conflict of interest? If such a conflict of interest really exists?
We will be very grateful for a quick response. Thank you kindly in advance.
|
Agnieszka Rzycka - Osiej Editor-in-chief |
|
of the GDPR.PL website. Al. Waszyngtona 40a Ip.| 03-910 Warszawa e-mail: [email protected]
|
