A distinction must be drawn between controller’s duties relating to incident notification and communication and its liability for the incident itself.
GDPR requires each data controller to notify a personal data breach to the competent authority. The notification is not necessary if the breach is unlikely to result in a risk to the rights and freedoms of natural persons. However, if the controller may not treat a breach in this way, it has 72 hours to notify it. In Poland, the President of the Personal Data Protection Office is the competent authority for the purpose.
Importantly, too, a data breach may also involve the need to communicate it to the affected persons. This communication requirement is triggered where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons. The communication should be sent without undue delay.