The Polish Data Protection Authority imposed a fine after a company failed to notify a personal data breach involving the loss of an employee document. The case is a useful reminder that internal employment documents may contain personal data and that losing them can trigger GDPR breach obligations.
In this article we will discuss...
What happened?
The incident concerned the loss of an employee’s work certificate. Although the document may appear administrative, it contained information relating to an identifiable worker. Once the controller became aware of the loss, it had to assess whether the incident created a risk for the affected person.
Why this is a personal data breach
Under the GDPR, a personal data breach includes accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data. Losing an employment document can therefore be a breach if the document contains personal information.
When must a breach be notified?
If a personal data breach is likely to result in a risk to the rights and freedoms of individuals, the controller must notify the competent supervisory authority without undue delay and, where feasible, within 72 hours. If the risk is high, affected individuals may also need to be informed.
Lessons for employers
- Employment documents should be treated as personal data.
- Paper files and certificates need secure storage and traceability.
- Lost documents should be investigated and documented immediately.
- The company should keep a breach register, even when notification is not required.
- Staff should know who to contact when a document is lost or disclosed by mistake.
Practical safeguards
Employers should define who may access employment records, how documents are delivered, how long they are retained and how incidents are escalated. These measures are especially important for HR teams, payroll providers and external advisers.
Conclusion
The loss of an employee document is not just an administrative mistake. It may be a personal data breach that requires analysis, documentation and, in some cases, notification to the data protection authority.





Leave a Reply
Want to join the discussion?Feel free to contribute!