A well-managed risk analysis could allow to avoid data loss

The President of the Personal Data Protection Office, Mirosław Wróblewski, imposed an administrative fine of PLN 33 000 on the funeral parlour in Puławy, which failed to implement appropriate organisational and technical safeguards for personal data in burial documents. As a result of this negligence, there was an incident with a loss of data.

Furthermore, the funeral parlour did not notify this to the President of the Personal Data Protection Office, although this is an obligation. The aim is to minimise the impact of the incident on data subjects with the assistance of the Personal Data Protection Office and to implement appropriate corrective action. The decision now obliges the funeral parlour to implement measures to minimise the risk to the data within 30 days.

What has happened? In November 2022, on the road near Puławy, the Police found 10 boxes with documents belonging to the funeral parlour. Among the various burial documents, there were 82 authorisations containing personal data of the family members of deceased persons. The Public Prosecutor’s Office found that a person employed by the entrepreneur as a mourner, on his instructions, had transported a box with documents on a so-called ‘open back’ car and the boxes fell from it. The employee did not know that he had lost them because he had not previously counted them.

Before transportation, the document boxes were kept in an unclosed room under stairs in a funeral parlour.

The data risk analysis provided to the President of the Personal Data Protection Office did not contain a description of the risks related to the security of the personal data processed, an assessment of the likelihood of an event resulting in a personal data breach occurring or the consequences of the risk for the natural persons concerned.

In the pending proceedings before the President of the Personal Data Protection Office, it became apparent that, contrary to its obligation, the data controller had not envisaged the risks and security measures to be applied when transporting and storing paper records containing personal data.

If the risk analysis was done correctly, the incident might not have occurred. If the controller had carried out such an analysis and had it taken into account the risks associated with the transport of the documentation, it would have been able to implement the transport procedure and verify, on a regular basis, whether it was complied with. This would minimise the risk of a personal data breach. Of course, an incident could occur. However, in such a situation, the controller could demonstrate  compliance with the GDPR.

The controller has not been able to demonstrate that it exercised effective supervision of the processing of personal data in the funeral parlour, in accordance with the principle of accountability from Article 5 (2) of the GDPR.

The only person with the Controller’s consent to access the personal data was an office employee, whereas the transportation of documents was outsourced to another employee.

The personal data breach that occurred in the present case, contrary to what the Controller claims, also results in a risk to the rights and freedoms of the natural persons concerned by the breach in question. In the present case, with the personal data contained in the authorisations: at least one unauthorised person could have read the name and the identity card number and series. It is therefore clear that, on the basis of the personal data disclosed, it is possible to identify data subjects. It must therefore be held that the negative effects may have materialised. There is therefore no negligible impact of the incident on the rights and freedoms of individuals.

The risk to them is not low and has not been eliminated. That is why the Controller was required to inform the President of the Personal Data Protection Office of the incident.

Decision in Polish: DKN.5131.10.2023