Back to Home

Data Breach Notification Procedure

Last updated: October 29, 2025

Effective Date: October 29, 2025 Last Updated: October 29, 2025

1. Purpose

This procedure defines how Quesma Poland Sp. z o.o. detects, assesses, responds to, and notifies affected parties about data breaches involving personal data.

This procedure ensures compliance with:

  • GDPR Article 33 (Notification to supervisory authority)
  • GDPR Article 34 (Communication to data subjects)
  • Polish data protection laws
  • Partner and customer contractual requirements

2. Scope

This procedure applies to any breach of security leading to:

  • Accidental or unlawful destruction of personal data
  • Loss, alteration, or unauthorized disclosure of personal data
  • Unauthorized access to personal data

Personal data in scope:

  • Website visitor data (analytics, IP addresses in logs)
  • Newsletter subscriber email addresses
  • Contact form submissions and email communications
  • Business contact information (partners, customers, vendors)

3. Definitions

Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.

Data Controller: Quesma Poland Sp. z o.o. (we determine the purposes and means of processing)

Data Processor: Third-party services that process data on our behalf (Google Analytics, Cloudflare, Mailchimp, Google Workspace)

Supervisory Authority: Urząd Ochrony Danych Osobowych (UODO) - Polish data protection authority

4. Breach Detection

4.1 How Breaches May Be Discovered

  • Automated alerts: Security monitoring systems (Cloudflare, hosting provider)
  • System logs: Unusual access patterns or failed login attempts
  • Third-party notification: Vendor reports breach affecting our data
  • Team member report: Employee notices suspicious activity
  • External report: Security researcher or user reports vulnerability
  • Customer inquiry: Questions about unexpected data access

4.2 Reporting a Suspected Breach

Any team member who suspects a breach must immediately report to:

Primary Contact: [email protected] (DPO - Jacek Migdal)

Do not delay. Even if uncertain, report suspicious activity immediately.

5. Breach Assessment and Response

5.1 Immediate Actions (Within 24 Hours)

Step 1: Containment

  • Stop the breach if ongoing (e.g., disable compromised account, block access)
  • Preserve evidence (logs, screenshots, communications)
  • Do not delete or modify logs without documenting them first

Step 2: Initial Assessment

  • What personal data was affected?
  • How many individuals are affected?
  • How did the breach occur?
  • Is the breach ongoing or contained?

Step 3: Assemble Response Team

  • Data Protection Officer (DPO) leads response
  • Relevant technical staff (whoever manages affected system)
  • CEO/management (if significant breach)
  • Legal counsel (if complex or high-risk)

Step 4: Document Everything

  • Create incident log with timeline
  • Record all actions taken
  • Save all evidence securely

5.2 Detailed Investigation (Within 72 Hours)

Determine Breach Details:

  1. What data was compromised?

    • Types of personal data (emails, names, analytics data, etc.)
    • Volume of data (number of records)
    • Sensitivity of data (low, medium, high risk)

  2. Who is affected?

    • Identify specific individuals if possible
    • Estimate number if exact count unavailable

  3. How did it happen?

    • Root cause analysis
    • What vulnerability or error led to breach?
    • Was it malicious or accidental?

  4. What are the consequences?

    • Risk to individuals (identity theft, financial loss, privacy impact)
    • Likelihood of harm (low, medium, high)
    • Severity of harm (minor, moderate, severe)

Risk Assessment:

  • Low risk: Unlikely to result in harm to individuals (e.g., temporary website outage, no data exposed)
  • Medium risk: May result in some inconvenience or concern (e.g., email list temporarily accessible)
  • High risk: Likely to result in significant harm (e.g., passwords exposed, financial data compromised)

6. Notification Requirements

6.1 Notification to Supervisory Authority (GDPR Article 33)

When required:

  • Breach is likely to result in a risk to individuals’ rights and freedoms
  • Must notify unless breach is “unlikely to result in a risk”

Deadline: Within 72 hours of becoming aware of the breach

Where to notify: Urząd Ochrony Danych Osobowych (UODO) ul. Stawki 2, 00-193 Warszawa, Poland Website: https://uodo.gov.pl/

What to include:

  1. Nature of the breach (what happened)
  2. Categories and approximate number of data subjects affected
  3. Categories and approximate number of personal data records concerned
  4. Contact point for more information (DPO: [email protected])
  5. Likely consequences of the breach
  6. Measures taken or proposed to address the breach and mitigate harm

If information unavailable within 72 hours:

  • Submit initial notification with available information
  • Provide remaining information in phases as it becomes available
  • Document reasons for delay

6.2 Notification to Data Subjects (GDPR Article 34)

When required:

  • Breach is likely to result in a high risk to individuals’ rights and freedoms
  • Not required if:
    • Appropriate technical protections were in place (e.g., encryption)
    • Measures taken to ensure no longer high risk (e.g., password reset forced)
    • Would involve disproportionate effort (can use public communication instead)

Deadline: Without undue delay (as soon as reasonably possible)

How to notify:

  • Email to affected individuals (if email addresses available and not compromised)
  • Public notice on website (if large-scale breach or email compromised)
  • Direct communication (phone, mail) if appropriate

What to include:

  1. Nature of the breach in clear, plain language
  2. Contact point for more information (DPO: [email protected])
  3. Likely consequences of the breach
  4. Measures taken or proposed to mitigate harm
  5. Recommended actions for individuals (e.g., change passwords, monitor accounts)

6.3 Notification to Partners and Customers

When required:

  • Breach affects data we process on behalf of partners or customers
  • Contractual obligations require notification
  • Partner/customer needs to take action to protect their users

Deadline:

  • Within 48 hours of discovery (or as specified in contract)
  • Earlier notification if immediate action required

How to notify:

  • Email to designated contact
  • Follow partner’s/customer’s preferred notification procedure
  • Provide sufficient detail for them to assess impact

6.4 Notification from Third-Party Processors

If vendor notifies us of breach:

  • Assess if our data or our users’ data is affected
  • Follow same notification procedures above if applicable
  • Document vendor breach in incident log
  • Review vendor relationship and security practices

7. Remediation and Prevention

7.1 Immediate Remediation

  • Fix the vulnerability or issue that caused the breach
  • Implement temporary safeguards if permanent fix takes time
  • Reset passwords or revoke access as appropriate
  • Enhance monitoring to detect similar incidents

7.2 Root Cause Analysis

  • Investigate how and why breach occurred
  • Identify contributing factors (technical, organizational, human error)
  • Document findings in incident report

7.3 Preventive Measures

  • Implement controls to prevent recurrence
  • Update policies and procedures as needed
  • Provide additional training to team if needed
  • Consider security enhancements (MFA, encryption, monitoring)

7.4 Post-Incident Review

  • Conduct lessons-learned session with response team
  • Update this procedure based on experience
  • Share appropriate learnings with team (without compromising sensitive details)

8. Documentation and Record-Keeping

8.1 Breach Log

Maintain a log of all breaches (required by GDPR Article 33(5)):

  • Date and time of breach discovery
  • Nature of breach
  • Data affected
  • Number of individuals affected
  • Consequences of breach
  • Remediation actions taken
  • Notifications sent

Retention: Keep breach records for at least 3 years

8.2 Incident Report

For each breach, create detailed incident report including:

  • Timeline of events
  • Root cause analysis
  • Impact assessment
  • Notifications sent (copies)
  • Remediation actions
  • Preventive measures implemented

Reports are stored securely and made available for supervisory authority inspection.

9. Roles and Responsibilities

Data Protection Officer (DPO):

  • Lead breach response and investigation
  • Decide on notification requirements
  • Communicate with supervisory authority
  • Coordinate with technical and legal teams

CEO/Management:

  • Support DPO with resources and authority
  • Approve high-risk decisions (public notifications, legal actions)
  • Communicate with media if necessary

Technical Team:

  • Contain and remediate technical aspects of breach
  • Preserve and analyze logs and evidence
  • Implement security fixes
  • Support DPO with technical assessment

All Team Members:

  • Report suspected breaches immediately
  • Preserve evidence if they discover breach
  • Follow instructions from DPO during incident response
  • Maintain confidentiality of incident details

10. Communication Guidelines

Internal Communication:

  • Keep incident details confidential (need-to-know basis)
  • Do not discuss on public channels unless secure
  • Use dedicated incident response channel or private communications

External Communication:

  • All external communications coordinated by DPO
  • Consistent messaging across all channels
  • Transparent and honest, but avoid unnecessary technical details
  • Focus on what happened, impact, and what we’re doing about it

Media Inquiries:

  • Direct to CEO or designated spokesperson
  • Prepared statement approved by DPO and legal counsel

11. Contact Information

Data Protection Officer: Jacek Migdal, CEO Email: [email protected] Company: Quesma Poland Sp. z o.o. Address: ul. Lindleya 16, 02-013 Warszawa, Poland

Polish Supervisory Authority (UODO): https://uodo.gov.pl/

12. Training and Testing

Annual Training:

  • All team members trained on breach detection and reporting
  • Response team drills breach response procedure
  • Update procedure based on drills and real incidents

Procedure Review:

  • Annual review of this procedure
  • Update after any actual breach incident
  • Update when regulations or business practices change

Quick Reference: Breach Response Checklist

Immediate (0-24 hours):

  • Contain the breach
  • Preserve evidence
  • Notify DPO ([email protected])
  • Assemble response team
  • Start incident log

Assessment (24-72 hours):

  • Determine what data was affected
  • Identify number of individuals affected
  • Assess risk level (low, medium, high)
  • Determine notification requirements

Notification (within 72 hours if required):

  • Notify supervisory authority (UODO) if required
  • Notify data subjects if high risk
  • Notify partners/customers if affected
  • Document all notifications

Remediation (ongoing):

  • Fix the vulnerability
  • Implement preventive measures
  • Conduct root cause analysis
  • Update policies and procedures
  • Complete incident report