The Voivodship Administrative Court in Warsaw in its judgment of 1 July 2022, affirmed that it is the bank that is the controller of the personal data contained in a lost shipment (sent by the bank) and should be the one to report the breach.

The fact that the shipment was lost through the fault of the courier is irrelevant in this case.

The postal operator is only the controller of the data appearing on the envelope, and therefore necessary for the delivery of the mail.

In the case at hand, a shipment containing documents with the customer's personal data (full name, PESEL, address, bank account number) went missing.

The bank had no information about what happened to the shipment - so it did not know whether the data contained in the documents had been accessed by unauthorized persons.  

In this situation, it was necessary to report this fact to the President of the Personal Data Protection Office (UODO) and to notify the persons whose data were in the shipment.

The bank failed to do so and hence it is required to pay a fine of over PLN 363 thousand.

The Court judgment is a warning to all data controllers who send documents containing personal data by mail - including employers.

This is because if such a shipment is lost, the security of personal data is compromised and unauthorized disclosure is possible.

If the controller has lost control of the shipment and does not know what happened to it, it is mandatory to notify the President of the Personal Data Protection Office and the data subjects.

Find more in the PRO HR August 2022.