Loss of a document with personal data and failure to notify the incident as a reason for a fine

6 July 2022

Background information

  • Date of final decision: 6  June 2022
  • Cross-border case or national case: national case
  • Controller: Esselmann Technika Pojazdowa Sp. z o.o. Sp. k.
  • Legal Reference: notification of a personal data breach to the supervisory authority (Art. 33 (1))
  • Decision: administrative fine of PLN 15,994 (circa 3500 EUR)
  • Key words: data breach notification, employment certificate, loss of document

 

Summary of the Decision

 
Origin of the case

The Polish Supervisory Authority (SA) was notified by the Poviat Police Commander of potential inaccuracies related to the processing of personal data by Esselmann Technika Pojazdowa Sp. z o.o. Sp. k. In view of the above, the Polish SA obliged the company as the data controller to provide explanations in the case. In the course of explanatory actions carried out by the Polish SA the fact of losing a document from the personal file of a company employee was revealed.

The company made an informed decision not to notify a breach involving an important document of one of its employees to the supervisory authority, despite the letters addressed to it indicating a possible risk to the rights or freedoms of the persons concerned in this case. This means that the company did not fulfil its obligation to notify the breach to the Polish SA.

 
Key Findings

In its explanations to the Polish SA, the company indicated that a personal data breach had occurred, consisting in the loss of an employment certificate of one of the employees through the fault of the employer. At the same time, the company explained that it did not notify the breach to the Polish SA because, in its opinion, it did not involve a risk of infringement of the rights or freedoms of the data subject.

The company stated that it had notified the employee of the loss of his or her employment certificate, and the employee had made no claims against the company on this account. The document in question was lost and had not been found by the date of the decision.

 
Decision

The certificate of employment contains a lot of important information about the person, including:

  • the period(s) of employment;
  • the procedure and legal basis for the termination or expiry of the employment relationship;
  • parental and child care leave taken;
  • information on the amount of remuneration and qualifications obtained - at the employee's request;
  • information on enforcement seizure of remuneration.

Taking the above into account, the Polish SA imposed a fine of PLN 15,994 (EUR 3,500 equivalent).

 

For further information: decision in national language.

 

The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.