The President of the Personal Data Protection Office (PUODO), by decision issued on 6 June 2022, fined Esselmann Technika Pojazdowa spółka z ograniczoną odpowiedzialnością sp. k. PLN 16,000 for violation of Articles 33 and 34 of the GDPR. The District Police Commander notified PUODO about irregularities related to the keeping of employee personal files in the company. After an investigation, it turned out that at the stage of completing the employees’ personal files, the employment certificate of one of the employees was lost. The data protection authority was not informed about the incident. According to Esselmann’s explanations, the reason for the failure to notify was the lack of risk to the rights or freedoms of the data subject, and the employee was properly notified of the breach and did not report any related claims. During the proceedings, PUODO did not receive any evidence confirming the company’s claims, which resulted in finding failure to notify the authority about the breach and failure to notify data subject of the breach.
According to the supervisory authority, the employment certificate contains a lot of valuable information about the employee. Besides data such as name and address, the certificate of employment may include ID numbers and even sensitive data. What is more, the document can provide information on the financial status of a data subject, e.g., attachment of salary for enforcement proceedings. The obligation to inform the supervisory authority under Art. 33 GDPR, appears as soon as there is a risk of violation of rights or freedoms, so it is not necessary for an unauthorized person to get acquainted with the data. The emergence of such a risk determines obligation to communicate the data subject about the breach (Article 34 of the GDPR). The controller fully knowingly failed to meet the requirements set out in the GDPR, which is why the supervisory authority decided to impose an administrative fine.