The importance for enterprises to know and take action when they identify any event of loss or misplacement of documents containing personal data cannot be overstated.
The protection of personal data constitutes a crucial objective for the European Union, which has been pursued through the introduction of the GDPR framework that protects against personal data violations. Among others, the legal framework has introduced a clear duty on all organisations to report certain personal data breaches to the relevant supervisory authority within strict timeframes.
Recent developments on the field – The facts
In a recent example of this kind of incidents, the Polish Data Supervisory Authority was put on notice concerning potential inaccuracies in the processing of personal data by a Polish company. An investigation ensured about the allegations and the company was requested to provide explanations on the matter. During the investigation, it was revealed that the company, which was acting as a data controller, lost or misplaced a document from the personal file of an employee, apparently due to a fault of another employee. The document contained sensitive data about the said employee.
Even though the loss of this document obviously violated the data protection rights of the employee, the company simply notified the data subject, i.e. the employee, who decided not to make any claims against the Company. For this reason, the company concluded that the loss of the document did not pose a risk of infringement of the rights or freedoms of the data subject and, therefore, opted not to notify the competent authority regarding the breach.
Recent developments on the field – The approach from the competent authority
The Polish Data Supervisory Authority considered the above conduct of the company and decided that the failure by the company to notify constituted a clear violation of the GDPR. It was noted in the decision that it was entirely irrelevant whether, as a result of the loss or misplacement of the document, an unauthorised person actually acquired access to, or indeed accessed, the lost or misplaced document. The simple fact that that there was a contingency for that to occur, i.e. for an unauthorised person to have the opportunity to have access to such data, there was a violation of the GDPR. Further, it was resolved that the Company was liable despite the fact that the loss of the document occurred because of an isolated fault of an employee (rather than a violation of the company’s policies). Lastly, it was decided that the fact that the affected employee / data subject decided not to complain about the incident was immaterial for the purpose of the company’s liability and did not constitute sufficient ground for not notifying the violation to the competent authority.
On these grounds, the Polish Data Supervisory Authority imposed a fine to the company in the range of €3.500. In assessing the magnitude of the fine, the Polish Data Supervisory Authority took into account as an aggravating circumstance the duration of the breach, i.e. how much time was required until the document was retrieved, the failure of the company to promptly notify the competent authority and the lack of cooperation of the company with the authorities. On the other hand, the Polish Data Supervisory Authority considered a number of circumstances as mitigating factors, namely the fact that only one person was affected, the absence of claims against the company and the fact that this seemed to be an isolated incident, with the company not having any prior data breaches committed.
Clearly, processing of personal data carries responsibility. Employers should keep in mind that proper safeguards need to be put in place in order to avoid instances of disclosure of personal data. If this occurs, then the Office of the Commissioner for Personal Data Protection shall be notified immediately. If the proper handling of the matter does not occur, then the violating entity may face substantial fines.