It is an undisputed matter that the situation described by us implies a breach. A lost letter or package contained personal data on the label (full name and address) and we also attempted to provide, for instance, an employee or client with documents, oftentimes very important ones, pertaining to them. Consequently, the availability of data has been breached (a data carrier, which oftentimes is the only copy, has been lost) and oftentimes its confidentiality as well (at the end of the day, we do not know whether any unauthorized persons have seen the content of the letter/package).
Therefore, a million-dollar question is as follows: who should report the breach to the President of the Personal Data Protection Office – a sender or Poczta Polska or a courier?
The answer of the President of UODO may be shocking: in the event that a postal/courier item is lost, it is the sender that is obligated to report a breach as the sender is the only person who knows what type of data is being transferred in the postal item, and thus can determine the risk to a natural person’s rights and freedoms posed by the loss of the postal item.
What does that mean? From your perspective, only one yet very crucial thing: report such situations to your data protection officer. Based on the information provided to you, they will decide whether lost documents are sufficiently important to the person it pertained to that the President of UODO and the intended addressee should have been informed of the event or nothing is happening and the fact should only be registered in the internal GDPR documentation.
We know that our message may not be satisfactory to you, which is why we have something to comfort you. In the event that only an acknowledgement of receipt is lost, a postal operator is an entity that is obligated to evaluate consequences of such an event.
Should you have questions related to the problem described by us, contact us as we are there for you.