Each controller is obligated to adopt appropriate technical and organizational measures to ensure the integrity, confidentiality, and availability of personal data processing. Therefore, all processing activities undertaken by a controller must reflect a risk-based approach.

When undertaking personal data processing activities, the controller must ensure that each processing operation is adequately secured. However, sometimes, despite the controller's implementation of the necessary measures and the conclusion of specific agreements aimed at securing personal data, a data security breach occurs through no fault of the controller. This type of situation occurs, for example, in the case of sending parcels. The controller can internally organize the entire correspondence handling process in a way that mitigates the risk of violations, i.e., streamline it to ensure that parcels are addressed to the correct recipients, that envelopes contain content addressed to the correct recipients, that parcels are not lost at the controller's premises and that they are properly recorded. However, this does not affect the delivery of parcels to recipients, which must be delivered via a postal operator, especially if we are talking about the operator designated to provide universal service from 2016 to 2025, i.e., Poczta Polska.

Pursuant to Article 41 of the Act of 23 November 2012 – Postal Law – the postal operator is obliged to maintain postal secrecy , which includes:

information transmitted in postal items ,
information on the execution of postal orders ,
data on entities using postal services and
data concerning the fact and circumstances of the provision of postal services or the use of these services .

The Act also indicates that a breach of the obligation to maintain postal secrecy includes, in particular, disclosing or processing information or data covered by postal secrecy, opening sealed postal items or reading their content, and enabling unauthorized persons to undertake specified actions that have an impact on the breach of postal secrecy.

Please remember, however, that this is an open catalogue, so the loss of a parcel for which there is no information as to whether it has been opened will also constitute a breach of confidentiality.

The postal operator is also obliged to exercise due diligence to the extent justified by technical or economic reasons in securing devices and facilities used in the provision of postal services and data sets against the disclosure of postal secrets.

In the judgment of the Supreme Administrative Court of 28 June 2022, II GSK 265/19, the Court indicated that a violation of the principle of correspondence secrecy, understood as the possibility of becoming familiar with the content of a shipment, should always be classified as a violation of the provisions on the obligation to maintain the secrecy of correspondence, regardless of whether such becoming familiar with the content of the shipment actually occurred . In such a case, it always leads to a threat to the security of postal traffic and the vital interests of entities using postal services.

Despite this structured regulation, the controller of the sender's and recipient's data will be the postal operator , but the sender will be responsible for ensuring the personal data contained within the shipment is adequately secured . This is also confirmed by the case law of the Provincial Administrative Court in Warsaw, which, in July 2022, issued a judgment, following a complaint filed by the data controller, ruling that the sender of the shipment is the controller of the data contained in documents within correspondence, as only they have knowledge of the data transferred within the shipment. Therefore, in the event of loss or opening of the shipment by an unauthorized person, the sender must fulfill the obligations related to the breach. The Polish supervisory authority (PUODO) imposed an administrative fine of PLN 363,000 in this case and ordered the data controller to notify data subjects of the breach.

The current President of the Personal Data Protection Office (UODO) has highlighted the scale of personal data breaches related to the loss of parcels sent by data controllers. He pointed out that parcels often contain special category data, and therefore, such an event automatically constitutes a personal data breach, posing a high risk to the rights and freedoms of data subjects. Consequently, in a letter dated April 2, 2024, the President of the UODO requested the President of Poczta Polska to take urgent action to eliminate such incidents.

The issue of parcel loss was already raised by the supervisory authority in 2019-2020. At that time, the postal operator committed to conducting employee training and building awareness of personal data protection. Another important issue raised by the President of the Personal Data Protection Office is whether Poczta Polska monitors previously implemented measures to enhance parcel security and whether steps will be taken to implement new mechanisms to ensure personal data protection.

This article is for informational purposes only and does not constitute legal advice.

Legal status as of April 30, 2024

author:

series editor:

Mateusz Grosicki

Attorney, partner
+48 506 367 109 | m.grosicki@kglegal.pl

Post Views: 72

Graś i Wspólnicy Law Firm is – Professionalism Experience Support.

Lost parcel – who is violating GDPR regulations?

Latest posts

Will KOWR solve the problem of the deficit of building plots?

Draft amendment to the Act on Ownership of Premises

Sanctions in the KSeF

The principle of equal pay in labor law – scope, meaning and legal consequences

Co-financing for the registration of trademarks and industrial designs

Our cycles

Law Firm Warsaw
Graś and Partners

Our services

Menu

Contact us!