The case of a data leak at the Wroclaw DCG Medical Center is known to the President of the Personal Data Protection Office (UODO). The supervisory body will take actions within the framework of its tasks and powers granted to it under the General Data Protection Regulation (GDPR) and national regulations.
Remember, individuals affected by the breach of personal data protection should first contact the entity that processes their personal data to learn about what specific data has been stolen or disclosed to an unauthorized person. Any administrator who identifies a breach of personal data protection that poses a high risk to individual rights or freedoms (i.e. the breach can lead to identity theft, financial loss or breach of legally protected secrets) should notify those affected. This notification may be necessary if the data disclosed include special categories of personal data such as social security number or health status information.
In cases of high risk, such as identity theft, notifying the affected individuals is very important. These individuals, being aware of the event and its associated risks, can take quick actions to protect themselves from further threats.
Such actions could include setting up an account with the credit and economic information system to monitor their own credit activity and being even more cautious when providing information online or over the phone, so as not to provide additional data that would facilitate possible identity theft.