Our personal data happen to be exposed more and more often (e.g. as a result of an effective hacker attack against an on-line shop which we use). If this has not happened to us yet, let us not be particularly surprised if it does. Losing an identity card is possible as well. There is a risk of “an identity theft”. Negative consequences may be numerous (e.g. loan fraud, use of our data to issue a “collector identity card”). In such situations you should not wait, instead you should act. One of the first steps, but not the only one we should take, is to report the loss of our identity card or the exposure of our data (e.g. the series and number of the identity card) to the Police.
As of 12 January 2020 an amendment to the Act on Identity Cards has been effective, which enables to issue a new identity card due to “a suspicion of unauthorized use of our personal data” (in particular the series and number of the identity card). Pursuant to Article 46 item 1 point 5a of the Act we should present to the commune/municipal authority a confirmation that we have notified the authorities entitled to investigate (e.g. the Police), of such suspicion. Actions instituting ex officio by the Police or a decision of the President of the Personal Data Protection Office stating a breach of the data protection regulations concerning the security of personal data of an identity card holder may constitute such a basis.
If we find someone else’s identity card, we should not be passive. We should deliver it to the commune/municipal authority or a consul of the Republic of Poland. As of 12 January it also serves as a basis for issuing a new identity card.
If our situation is the exact opposite and we act as an administrator of the personal data of other people (e.g. employees, customers) and there is a risk of a data breach (e.g. loss of an unencrypted laptop by our employee), we should bear in mind our obligations under Article 33 and 34 of the GDPR and possible very high financial penalties. First of all, do not panic, but rather take immediately appropriate measures in order to remedy the breach and to minimize its negative effects (i.a. report it to the Police, inform the President of the Personal Data Protection Office, appoint an intra-company “incident response team”). However, it is even better to prepare for such data breach before it actually happens e.g. by developing relevant intra-organizational procedures, appointing and training competent persons.