Ikonka home dla okruszków News and events
photo
02.09.2025

Data in postal mailings require better control

Poczta Polska should work on strengthening measures to ensure the security of mail deliveries – this was the conclusion presented by Mirosław Wróblewski, President of the Personal Data Protection Office, to Sebastian Mikosz, President of the Management Board of Poczta Polska SA.

The letter is a follow-up to correspondence from the President of the Personal Data Protection Office regarding reports of concern received from controllers who notified personal data breaches in connection with services provided by Poczta Polska (the Polish Post), as reported in our announcement at https://uodo.gov.pl/en/553/1657

The President of the Personal Data Protection Office approved the information provided by Poczta Polska on the implementation of the e-Delivery service, including the updating of risk analysis documentation and the presentation of a detailed description of the processes carried out as part of the provision of a public hybrid service.

The President of the Personal Data Protection Office has once again taken action against the President of Poczta Polska, as the number of reported cases of lost mail, delivery to unauthorised recipients, or delivery of damaged mail remains very high.

Such cases are reported to the Polish supervisory authority by controllers from the private sector, public administration, and courts. They have repeatedly notified personal data breaches to the President of the Personal Data Protection Office, not only in connection with the loss of postal correspondence containing personal data, but also with the delivery by the postal operator of items bearing signs of significant damage (envelopes torn, opened, with some contents falling out). 

Given the scope of data that may potentially be contained in such correspondence, such cases may result in a high risk to the rights and freedoms of natural persons, requiring, pursuant to Article 34(1) of the GDPR, notification of the data subjects. In addition to so-called ordinary data such as name and surname, address, telephone number, or personal identification number (PESEL number), this may also include special categories of data listed in Article 9(1) of the GDPR, e.g., data concerning health, and data referred to in Article 10 of the GDPR, i.e., data concerning criminal convictions and offenses.

In the case of correspondence related to court proceedings, there is also a risk of negative procedural consequences – if part of the contents of the mail is lost or damaged, the party may be deprived of the opportunity to defend their rights, and the consequences may be irreversible (some evidence, such as original documents, is sent to proceedings by post and cannot be reproduced if lost or destroyed).

It is also important to bear in mind the possibility of violating personal rights, such as image rights, which may involve a serious interference in a person's privacy.

In view of the above concerns, the Polish supervisory authority requested Poczta Polska to provide further explanations, in particular:

  1. whether Poczta Polska monitors the effectiveness of previously implemented measures to enhance the security of mail items;
  2. whether Poczta Polska has implemented or plans to implement additional security measures in this area, and if so, what these measures are and when they have been/will be implemented.

The President of the Personal Data Protection Office also emphasised that he will continue to monitor the activities of Poczta Polska, which are intended to improve the security of the services provided and eliminate cases of data protection breaches.

DKN.5101.47.2024

 

phone
Infoline (in Polish) UODO 606-950-000 Operates on weekdays from: 10:00-14:00
© UODO 2018 - 2025
Copyright.
Urząd Ochrony Danych Osobowych
map pin ul. Stanisława Moniuszki 1A, 00-014 Warszawa
envelope kancelaria@uodo.gov.pl
clock Working hours of the office: 8 a.m. – 4 p.m.
© UODO 2018 - 2025
Copyright.