Abstract

The article discusses the legal construct of reporting personal data protection infringements to a supervisory authority and notifying the data subject thereof contained in the provisions of the EU General Data Protection Regulation. The initial part of the article outlines the origin of the duty to report infringements, the substance of that duty, and indicated selected legal regulations where such duty had been provided for earlier. Further on, it analyses the provisions of the General Data Protection Regulation concerning the concept of “data protection infringement”; requirements concerning reporting and notifications of infringements; keeping of infringement records; guidelines, recommendations and best practices relating to stating personal data protection infringement, and responsibility for the violation of the provisions concerning reporting data protection infringements. The last part of the article presents conclusions arising from the analyses.