The Polish Data Protection Authority imposed an administrative fine of almost PLN 16 000 on Esselmann Technika Pojazdowa Sp. z o.o. Sp. k. in view of not notifying the Polish DPA of a personal data breach consisting of the loss of an employee’s work certificate.
The Poviat Police Commander of potential inaccuracies notified the Polish Data Protection Authority about a failure processing the personal data by a company because of the loss employee’s document. Bearing that in mind, the Polish DPA obliged the organization to give clarifications for the situation.Loss of an employee’s document
In its clarifications, the company demonstrated that a personal data breach had occurred due to the loss of an employment certificate. It is clear that the certificate of employment contains a lot of important information about the person.
Simultaneously, the company made sense that it did not notify the breach to Polish DPA. From its standpoint, it did not involve a risk of violation of the rights or freedoms of the employee. Furthermore, the company held that it had notified the data suspect of the loss of his/her employment certificate, and the employee had made no claims.
The importance of the certificate of employment’s content
In conformity with the Polish authorities, the company’s acknowledgement that the episode didn’t comprise an individual data breach had no verifiable or lawful premise as the information the employment certificate includes is considered personal data. Aside from basic personal information, the content of the certificate of employment is particularly important. From the perspective of the rights or freedoms of the data subject. Particularly, the document contained information about the procedure and legal basis for the termination or legal basis for the expiry of the employment relationship, as well as the possible attachment of salary.
Such information may straightforwardly or by implication unveil data on the individual’s very own life, lawful issues and monetary status, and so forth.
Consequently, it ought to be borne as a top priority that assuming that there is a risk to the rights or freedoms of the person affected by the personal data breach, the regulator ought to tell the break to the DPA.
But according to the Polish authorities, the organization settled on a choice not to tell the breach to the administrative power. This implies that the organization didn’t satisfy its commitment to advise the breach to the DPA leading to an administrative fine of almost PLN 16 000.