![Zofia Babicka-Klecor, Legal Geek: 72 hours to decide. How to respond to a personal data breach? [COMMENTARY]](/static/images/section2.774b7ac9648d.jpg)
O czym mówiliśmy
On 2026-01-09 Omnichannel News examined GDPR, the Polish Data Protection Authority (UODO) and personal data breaches. The case mattered to businesses because such regulations shape not only the wording of legal documents, but also the design of sales, payments, security and customer-communication processes. The discussion focused on the practical consequences of implementation and the risks arising from an overly narrow or overly formal reading of the rules. The outlet asked Zofia Babicka-Klecor for comment on the topic of the publication.
Co podkreślaliśmy
-
The GDPR requires a swift classification of the incident and an assessment of the risk to natural persons.
The controller should not be wasting time establishing basic roles only after a breach has been detected.
-
The 72-hour deadline applies to notifying the President of UODO of a breach after becoming aware of it.
Where notification is made later, the controller should explain the reasons for the delay.
-
Notifying the data subject is a separate obligation from notifying the supervisory authority.
It requires a high risk threshold and a message written in clear and plain language.