Auratech Legal Solutions

Loss of an Employee Document and GDPR Breach Notification

The Polish Data Protection Authority imposed a fine after a company failed to notify a personal data breach involving the loss of an employee document. The case is a useful reminder that internal employment documents may contain personal data and that losing them can trigger GDPR breach obligations.

What happened?

The incident concerned the loss of an employee’s work certificate. Although the document may appear administrative, it contained information relating to an identifiable worker. Once the controller became aware of the loss, it had to assess whether the incident created a risk for the affected person.

Why this is a personal data breach

Under the GDPR, a personal data breach includes accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data. Losing an employment document can therefore be a breach if the document contains personal information.

When must a breach be notified?

If a personal data breach is likely to result in a risk to the rights and freedoms of individuals, the controller must notify the competent supervisory authority without undue delay and, where feasible, within 72 hours. If the risk is high, affected individuals may also need to be informed.

Lessons for employers

Practical safeguards

Employers should define who may access employment records, how documents are delivered, how long they are retained and how incidents are escalated. These measures are especially important for HR teams, payroll providers and external advisers.

Conclusion

The loss of an employee document is not just an administrative mistake. It may be a personal data breach that requires analysis, documentation and, in some cases, notification to the data protection authority.

Exit mobile version