Personal Data Breach Response, Notification, and Reporting Procedure
Effective Date: 1 April 2026 | Version 1.0 | Legal Basis: GDPR Articles 33–34; Polish PDPA; NIS2 Directive (EU) 2022/2555 (Last updated: 1 April 2026)
| Document Type | Breach Notification Policy — Internal and Published |
|---|---|
| Owner | Data Protection Officer (DPO) |
| Incident Lead | Chief Information Security Officer (CISO) |
| Contact | privacy@exactflow.com | security@exactflow.com |
| 72-Hour Clock | Starts from the moment ExactFlow becomes AWARE — not from when breach is confirmed |
| Supervisory Auth | UODO — ul. Stawki 2, 00-193 Warsaw | www.uodo.gov.pl | +48 22 531 03 00 |
| UODO Portal | https://uodo.gov.pl/p/zgloszenie-naruszenia |
THE 72-HOUR CLOCK IS ABSOLUTE. GDPR Article 33(1) requires notification to the UODO within 72 hours of BECOMING AWARE of a personal data breach posing risk to individuals — not from confirming it. Awareness is the trigger. All staff must report suspected breaches immediately — do not investigate before reporting internally.
Under GDPR Article 4(12), a personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes three types:
| Breach Type | Examples |
|---|---|
| Confidentiality breach | Unauthorised external access; accidental email to wrong recipient containing personal data; insider access beyond role authorisation; data shared with wrong sub-processor; personal data visible in error on public-facing page |
| Integrity breach | Unauthorised modification of personal data; ransomware altering records; data corrupted during migration; incorrect data merged with wrong customer record |
| Availability breach | Ransomware destroying or encrypting personal data without recovery; sustained DDoS causing unavailability of personal data individuals need access to; accidental database deletion without backup |
| Level | Criteria | UODO Notification? | Individual Notification? | Escalation |
|---|---|---|---|---|
| Level 1 — Low | No risk to individuals (e.g. data already public; single record; no sensitive data; immediately contained) | No — document internally | No | Log in Breach Register; DPO review within 5 days |
| Level 2 — Medium | Risk (not high risk) to individuals (e.g. limited personal data exposed; moderate sensitivity; contained) | Yes — within 72 hours | No — unless risk escalates | DPO leads; CISO supports; UODO notified; full documentation |
| Level 3 — High | HIGH risk to individuals — likely to result in discrimination, identity theft, financial loss, or significant harm (e.g. financial data; health data; large-scale; special category) | Yes — within 72 hours | Yes — without undue delay | DPO + CISO + CEO; legal counsel; individuals notified; consider press statement |
| Level 4 — Critical | Large-scale breach; vulnerable individuals or children; criminal activity; multiple organisations affected; regulatory investigation likely | Yes — within 24 hours (best efforts) | Yes — immediately | Board notification; legal counsel; UODO pre-notification call; law enforcement; crisis communications |
Any person (staff, contractor, Client, sub-processor) aware of or suspecting a breach must immediately report to privacy@exactflow.com and security@exactflow.com. Include: what happened (as known); when discovered; what data may be involved; estimated number of individuals; systems affected. Preserve all evidence — do not delete logs or records.
CISO leads containment — isolate affected systems from the network
DPO leads risk assessment — determine data categories, sensitivity, volume, special category or children's data
Where breach poses risk to individuals (Level 2, 3, or 4), DPO submits notification to UODO via https://uodo.gov.pl/p/zgloszenie-naruszenia. GDPR Article 33(3) requires:
Where all information is unavailable within 72 hours, submit what is available with a clear note that it is a partial notification — supplement within 7 days.
Late UODO notification — or failure to notify — is a material GDPR violation exposable to administrative fines under GDPR Article 83(4) of up to €10,000,000 or 2% of total annual worldwide turnover, whichever is higher.
Where breach is likely to result in HIGH risk (Level 3 or 4), ExactFlow notifies affected data subjects directly without undue delay under GDPR Article 34. Notification must be in plain language and include: nature of breach; DPO contact; likely consequences; measures taken; specific, practical advice for the individual (e.g. change passwords; monitor bank statements).
Remediate root cause; strengthen failed controls; retrain staff; update processes
All breaches — notifiable or not — documented in the Breach Register (GDPR Article 33(5)). Entry must include: discovery and containment timestamps; breach type and severity; data categories and estimated records/individuals affected; root cause; UODO notification details; individual notification details; remediation actions; DPO sign-off confirming closure.
| Timeline | Action | Owner |
|---|---|---|
| Immediate (Hour 0) | Report to privacy@exactflow.com and security@exactflow.com | All Staff / Sub-processors |
| Within 1 hour | CISO and DPO notified; initial triage; evidence preservation | CISO + DPO |
| Within 4 hours | Containment complete or underway; initial assessment to DPO | CISO |
| Within 24 hours | Risk assessment and classification complete; CEO briefed for Level 3/4 | DPO |
| Within 48 hours | Legal counsel engaged for Level 3/4; UODO notification drafted and reviewed | DPO + Legal |
| Within 72 hours | UODO notification submitted (where required); initial individual notifications for Level 3/4 | DPO |
| Within 7 days | UODO supplementary notification if initial was partial; all individuals notified; Board briefed for Level 3/4 | DPO + CEO |
| Within 30 days | Root cause remediated; post-incident review completed; Board report | CISO + DPO |
NIS2 Directive (EU) 2022/2555: where ExactFlow qualifies as Essential or Important Entity, significant ICT incidents must be reported to CSIRT NASK within 24 hours (early warning) and 72 hours (full notification). Classification assessment underway — Policy to be updated on determination.
Polish Cybersecurity Act (Dz.U. 2018 poz. 1560): ICT incidents affecting critical services reported to relevant CSIRT (CSIRT GOV, CSIRT NASK, or CSIRT MON) per Act requirements.
PCI-DSS v4.0: card data breaches reported to Visa and Mastercard and the acquirer within 24 hours of confirming card data involvement per card scheme rules.
Where ExactFlow acts as Data Processor on behalf of a Platform Client and discovers a breach affecting the Client's personal data, ExactFlow will: notify the Client within 24 hours; provide all information needed for the Client's own GDPR notification assessment; cooperate fully with the Client's investigation; implement containment and remediation as directed where not in conflict with ExactFlow's own obligations.
All sub-processors are contractually required to notify ExactFlow at privacy@exactflow.com and security@exactflow.com within 24 hours of becoming aware of any breach affecting ExactFlow personal data.
| DPO | privacy@exactflow.com |
|---|---|
| CISO | security@exactflow.com |
| UODO | kancelaria@uodo.gov.pl | +48 22 531 03 00 | www.uodo.gov.pl |
| UODO Notification Portal | https://uodo.gov.pl/p/zgloszenie-naruszenia |
| CSIRT NASK (NIS2) | incydent@cert.pl | www.cert.pl |
| Registered Address | ExactFlow p.s.a., Stanisława Bodycha 87, 05-816 Reguły, Poland |
This Breach Notification Policy complies with: GDPR Articles 33–34; Polish Personal Data Protection Act (Dz.U. 2018 poz. 1000); NIS2 Directive (EU) 2022/2555; Polish Cybersecurity Act (Dz.U. 2018 poz. 1560); PCI-DSS v4.0; and ENISA Personal Data Breach Notification Guidelines. Annual tabletop exercises testing this procedure are strongly recommended.
— END OF BREACH NOTIFICATION POLICY — EXACTFLOW P.S.A. —