Loss of a document with personal data and failure to notify the incident as a reason for a fine

The Polish Data Protection Authority imposed an administrative fine of almost PLN 16 000 on Esselmann Technika Pojazdowa Sp. z o.o. Sp. k. The reason for this decision was the failure to notify the Polish DPA of personal data breach consisting in the loss of an employee's work certificate.

The Polish Data Protection Authority was notified by the Poviat Police Commander of potential inaccuracies related to the processing of personal data by Esselmann Technika Pojazdowa Sp. z o.o. Sp. k. In view of the above, the DPA obliged the company as the data controller to provide explanations in the case. In the course of explanatory actions carried out by the Polish DPA the fact of losing a document from the personal file of a company employee was revealed.

In its explanations to the Polish DPA, the company indicated that a personal data breach had occurred, consisting in the loss of an employment certificate of one of the employees through the fault of the employer. At the same time, the company explained that it did not notify the breach to the Polish DPA because, in its opinion, it did not involve a risk of infringement of the rights or freedoms of the data subject. The company stated that it had notified the employee of the loss of his or her employment certificate, and the employee had made no claims against the company on this account.

The certificate of employment contains a lot of important information about the person

According to the Polish DPA, the company's recognition that the incident did not constitute a personal data breach had no factual or legal basis. Information included in the employment certificate constitutes personal data. Apart from basic data, such as first name, surname, place of residence or date of birth, the content of the certificate of employment provides information which is particularly important from the perspective of the rights or freedoms of the data subject. In particular, the information on the procedure and legal basis for the termination or legal basis for the expiry of the employment relationship, as well as possible attachment of salary shall be deemed as such data. Such data may directly or indirectly disclose information on the person's personal life, legal problems and financial status (e.g. information about the attachment of salary due to enforcement proceedings), etc.

Fear of unauthorised use of data

It should be borne in mind that if there is a risk to the rights or freedoms of the person affected by the personal data breach, the controller should notify the breach to the DPA.

It’s irrelevant whether an unauthorised person actually got acquainted with the personal data of the person whose data is contained in the lost employment certificate. What is relevant is that there was a risk of such an occurrence, which means that the unauthorised person had the opportunity to become acquainted with the data. Given the scope of the data contained in the lost document, in the opinion of the Polish DPA there was a risk to the rights and freedoms of the data subject. Consequently, the company, as the data controller, should have notified the breach to the supervisory authority, which it failed to do, thus failing to fulfil its obligations under the General Data Protection Regulation (GDPR).

Reasons for imposing an administrative fine

In the opinion of the Polish DPA, the company made an informed decision not to notify the breach to the supervisory authority, despite the letters addressed to it indicating a possible risk to the rights or freedoms of the persons concerned in this case. This means that the company did not fulfil its obligation to notify the breach to the DPA.

It should be emphasised that the lost document had not been found by the date of the decision.

Taking the aforementioned factors into account, the Polish DPA used its powers and imposed a fine of PLN 15 994.

Time of reaction to an incident is important

It should be reminded that each controller shall notify the personal data breach to the supervisory authority without undue delay ‒ if possible not later than within 72 hours after having become aware of it. In case of serious infringements, the controller's reaction time is very important, because if it turns out that the controller should notify not only the DPA, but also the persons whose data are subject to the breach, and it was not done earlier, then the need  to do so can be quickly pointed out to the controller. It is very important that the persons whose data has been e.g. disclosed, stolen or in any other way affected by the breach could, after the abovementioned notification, take actions on their own as soon as possible in order to protect themselves against the risks related to the incident.

Full text of the decision