iSecure logo
  • pl
  • en

    • Report an incident!

    Have you heard about the importance of proper data incident management?

    An incident involving, for example, a lost device, an sent email sent by an error, a data leak, must always be properly analyzed.

    You should know the level of grafity a breach you are dealing with and whether you have an obligation to report the breach to your customers or the DPA (and if so, in what manner).

    These obligations derive from the GDPR. not to mention the fact, that you need to act immediately. Time is short, and proper verification requires appropriate knowledge.

    Have the incident analyzed by our experts! Within 24 hours you will learn what steps you should take to avoid exposing your organization to severe reputational damage or financial penalties.

    If any of the following has occurred in your organization:
    • sending an e-mail to multiple addressees without the BCC option, when the addressees should not know each other's addresses
    • sending an e-mail to a wrong addressee
    • an email with an invalid attachment containing another person's personal data
    • lost/stolen laptop, smartphone, tablet, paper documents
    • breaking into the office
    • hacking into a system/database
    • unintentional corruption/loss of data
    • unintentional publication of data
    • or other situations…
    ...it is the responsibility of the organisation to analyse whether this is just an incident or maybe:
    data breach
    but not requiring notification to the data protection authority (in Poland - President of the Office for Personal Data Protection, PUODO)
    data breach
    resulting in a risk of violation of the rights and freedoms of data subjects, which requires notification to the data protection authority or in addition
    data breach
    requiring notification of the persons affected by the breach
    The organisation has 72 hours for this analysis from the moment the incident/breach was identified! The organisation faces heavy financial penalties for failing to report a breach that required it!

    It may be that your organisation processes personal data entrusted by clients and will not need to notify the breach to the data protection authority, but to the client on whose behalf it processes the data. If this is the case, you should also conduct an incident analysis.

    Let us analyse it for you!
    If you would like iSecure specialists to analyse the incident, please follow the steps below (documents in Polish):
    1
    Read our terms and conditions for the service (in Polish only) – Download the document
    2
    Use an on-line payment system to transfer due amount of 99 zł netto
    Autopay
    3
    Send to incydent@isecure.pl a detailed description of the incident including:
    • Company details: company name, contact person, contact person's email address, contact person's phone number
    • Description of the incident:
      • categories of persons affected by the incident (e.g. customers, employees)
      • scope of data (e.g. name, PESEL no.)
      • number of persons whose data has been compromised
      • number of records affected by the breach (e.g. amount of transactions, files, records affected)
      • who was involved in the incident (e.g. employee, third-party contractor employee, third-party – hacker’s attack)
      • the cause of the incident (e.g. database intrusion)
      • a detailed description of what happened (please list as much information as possible - when the incident occurred, what it consisted of, who discovered it, etc.)
      • other circumstances
    • Files (please attach evidence e.g. accidentally sent email, its attachments, etc.).
    • Completed and signed data entrustment agreement (if you provide personal data in the description or in the attached files) – available to download in Polish only Download document
    • Payment transaction ID: The ID will be available when you make a payment and return to this page from the online payment system (also available in the e-mail regarding registration of your payment order)
    By sending an e-mail to incydent@isecure.pl , you accept the terms and conditions of the service we provide.
    4
    Once we have received your report, we will contact you immediately.

    It will take us a maximum of 24 hours to analyse the incident after we have received all the necessary information to do so.

    Please note that our analysis will only allow us to determine whether the incident constitutes a breach or not, and the 72h time limit for reporting it to data protection authority, if any, only runs from the moment the incident is identified!

    The final result of our analysis will be a document prepared by us containing, in particular:
    • Name of the data controller
    • Name of the data processor (if applicable)
    • Description of the incident
    • Date of the incident
    • Date of the analysis
    • Data of the person conducting the analysis
    • The identified degree of risk
    • Recommendation as to the notification to the data protection authority and the deadline for doing so
    • Recommendation as to the notification to the data subjects affected by the incident and the deadline for doing so
    • Recommendation as to the notification to your client if the incident involved a processor/li>
    Subscribe to our newsletter
    Potential iSecure recommendations after analysis:
    Low risk

    If the incident, after analysis, turns out to be an incident/breach with a low risk of infringement of the rights and freedoms of data subjects and does not require notification to the DPA and the persons affected, you will additionally receive from us the output data for making an entry in the register of personal data protection breaches - included in the price of the service!

    Medium or high risk

    However, if the incident, after analysis, turns out to be a breach with a medium or high risk of infringing the rights and freedoms of data subjects and requires reporting to the DPA and to the persons affected, and you still need assistance in this regard, you can make use of our additional services:

    • the preparation of a personal data breach notification form with instructions on how to make such a notification, and
    • if it is also necessary to inform the person(s) affected of the breach - the preparation of such information with instructions for its delivery.

    The cost of this support is agreed on a case-by-case basis, depending on the estimated time required to complete the order.

    It is possible to grant a power of attorney to an iSecure specialist to file a data breach notification on behalf of the data controller you represent. This PoA allows us to represent you in front of Polish data protection authority (PUODO). In this case, it is necessary to send a power of attorney (in Polish), completed with your Company's (the principal's) data and date, and finally signed by the persons representing the organisation. At this stage, you do not complete the data of the person to whom the power of attorney is granted.

    We will need some additional information to prepare the notification to DPA.

    Download a template of notification information (in Polish)

    There are high financial penalties for failing to report an incident/breach that required such a report, and the occurrence of an incident/breach does not necessarily mean a fine for its occurrence or a possible inspection from the data protection authority!
    Newsletter subscription
    By adding your e-mail address and confirming "Sign up" you agree to processing your e-mail address by iSecure Sp. z o.o. for the purpose of sending a newsletter about services, events, or other activities of our Company