The case concerns an employee whose PIT-11 tax document was sent by the company's accountant at the employer's instruction (annual tax settlement for the previous year). The letter did not reach the recipient, was not returned to the employer (it was sent as a regular letter without a return address), and it is unknown who received it.
ANSWER
Sending a PIT annual tax statement to an incorrect residential address constitutes a personal data breach.
Under Article 4(12) of the GDPR, a personal data breach includes, among other things, the unauthorized disclosure of personal data to unauthorized individuals.
As described, the letter did not reach the intended recipient and was not returned to the sender. Therefore, it must be assumed that it may have been received by an unauthorized person.
In such circumstances, the data controller has an obligation to follow the organization's procedures for handling personal data breaches and to take appropriate remedial actions.
If the employer and accountant do not recognize the issue as a problem, the employee should promptly submit a complaint to the President of the Personal Data Protection Office (PUODO).
More information about filing a complaint can be found on the PUODO website: https://uodo.gov.pl/pl/83/155
The PIT-11 form contains not only the employee's name and surname but also personal information such as:
- date of birth,
- PESEL number,
- residential address.
These are personal data elements that could potentially be used for identity theft, including obtaining loans or credit in another person's name.
For this reason, I would recommend taking appropriate action with regard to the employer and closely monitoring your financial and credit situation. If any irregularities are detected, the matter should be reported to the appropriate law enforcement authorities.
