Utilizziamo cookies e tecnologie similari per migliorare l’esperienza all’interno del sito e offrire all’utente un servizio di maggior valore. I cookie presenti su questo sito sono cookie tecnici per garantire il funzionamento del sito e cookie analitici, anche di terze parti, utilizzati da noi e dai nostri partner per misurare le performance del Sito e capire i contenuti che vi interessano. Per accettare i cookie clicca «accetta i cookie analitici». Per rifiutare i cookie clicca «rifiuta i cookie analitici». Per maggiori informazioni ti invitiamo a leggere la nostra Cookie Policy.



Poland: Another administrative fine for a breach of employee's personal data

PrintMailRate-it
published on 28 June 2022 | reading time approx. 2 minutes

The President of the Polish Personal Data Protection Office slapped an administrative fine of almost 16,000 zloty (about 3,400 euro) in June 2022 for a failure to report a personal data breach – a lost work record certificate (świadectwo pracy) of an employee – to the Personal Data Protection Office. 

The Personal Data Protection Office stressed again that data collected in the course of an employment relationship required special protection and any unauthorised disclosure posed a risk of a violation of rights and freedoms of an employee (also a former one). Additionally, the authority pointed out that the assessment of a breach should include an assessment if an unauthorised person had even only a chance to access personal data.

The Personal Data Protection Office was notified of a potential misconduct in personal data processing and launched an investigation in response. The investigation showed that the company lost a work record certificate of one employee. Despite losing the certificate the company did not report it to the Personal Data Protection Office because it assessed that the incident did not pose a risk to the rights and freedoms of the data subject. It based its assessment mainly on the fact that the employee was notified of the lost work record certificate and raised no claims against the company on that account.

The Personal Data Protection Office did not agree with the company's opinion that no personal data breach occurred.

Above all, the authority emphasised that a work record certificate included a lot of personal data – in addition to the basic information such as full name, place of residence and date of birth, it included details crucial for the data subject’s rights and freedoms. These included especially the method and legal basis of termination or expiry of the employment relationship as well as any wage garnishment. This revealed directly or indirectly details of an individual's personal life, his or her legal problems and financial standing (e.g. information about wage garnishment in the course of enforcement proceedings).

In its decision the Personal Data Protection Office reiterated that the key for the assessment whether an incident carried a risk of a violation of the data subject’s rights and freedoms was the fact that an unauthorised person could access that subject's personal data. Importantly, the authority held that it was irrelevant whether an unauthorised person actually accessed the data subject’s details (in this case the details on the lost work record certificate).

Due to the nature of the details on the lost document, the Personal Data Protection Office assessed that there was a risk of a violation of the rights and freedoms of the data subject, and the company was obliged to report it to the supervisory authority.

 DATA PROTECTION BITES

CONTACT

Contact Person Picture

Marta Wiśniewska

Attorney at Law

Senior Associate

+48 22 244 00 22

Invia richiesta

 RÖDL & PARTNER POLAND

​Discover more about our offices in Poland. Read more »
Deutschland Weltweit Search Menu