A courier service provider does not have a status of the data controller in relation to personal data in the correspondence.
The situation which require taking the decision whether to notify the supervisory authority about the breach of personal data are the ones the controllers would like to avoid. Loss of a registered package with important documents containing personal data are reported to the supervisory authorities as incidents. Of course, not every situation requires reporting, all would depend on the results of the risk assessment. In July 2022 the Administrative Court in Warsaw, following an appeal submitted by a data controller, issued a ruling and stated that the controller of the data contained on the documents inside the correspondence is the entity sending it, and only he as the sender has knowledge of what data is inside the shipment. The courier service provider does not have such knowledge. The bank, and not the postal operator, determines the purposes of processing the data, as well as the means of processing them. Therefore, the sender must fulfill its obligations related to the breach. The Polish supervisory authority in this matter imposed an administrative fine of approximately EUR 100,000 and ordered that data subjects be notified of the incident by the data’s controller (bank).
- The data’s controller in this case (bank), despite having previously reported identical incidents and despite having assessed by himself that the risk of violating the rights of the data subjects was medium, decided not to report the loss of registered correspondence sent by the courier operator.
- The registered mail sent by the bank contained personal data such as name, surname, PESEL (unique number granted to every individual), registered address, bank account numbers, CIF number (identification number given to the Bank’s customers) of the applicants.
- The bank based on the European ENISA methodology, assessed the incident as likely to cause a medium risk of violation of the rights and freedoms of data subjects. The bank decided not to report the breach to the supervisory authority and addressed a general letter to the data subjects describing what documents had gone missing.
Four issues were deeply analyzed by the Court in this case following the findings of the supervisory authority:
- The entity responsible for data protection – the lost parcel contained the banking documents and there is no doubt that the controller of the data appearing on them is the bank, which also sent the parcel, and it was the bank that was obligated to fulfill its obligations as controller. This is because it was the bank, and not the postal operator, that determined the purposes of processing the data covered by the aforementioned violation, as well as the means of processing them. In the case of irregularities in the delivery of a shipment, the duty to protect the interests of the data subject from the point of view of the risk of violation of the rights or freedoms of the data subject rests with the sender of the shipment, who, knowing the content of the lost correspondence, is able to assess the risks arising for the data subject. The postal operator and courier company can perform the duties of a controller, within the meaning of the provisions of the GDRPR, but only with regard to the personal data of the senders and addressees of mail.
- Lack of necessity that the unauthorized recipient actually came into possession of and became acquainted with the personal data of others. If there is such a risk, it consequently means also a potential risk of violation of the rights or freedoms of the data subjects. In this case the officials considered this risk as high given the scope of the data.
- The information sent to the individuals must contain the elements referred to in Article 34(2) of the GDPR. The data controller sent the letter to the individuals but it did not contain a description of the possible consequences of the personal data protection violation in question, as well as information about the name and contact information of the data protection officer or the designation of another contact point from which more information could be obtained. It also lacked reference to the security measures taken by the controller to minimize the risk of possible future breach.
- In determining the amount of the fine, the authority took into account i.a. the following circumstances: (i) long duration of the violation – from the time the bank became aware of the personal data protection violation until the date of the decision, more than 2 years passed, (ii) the willful nature of the breach – the bank has a high level of knowledge in the area of personal data protection, which includes knowledge of the consequences of identifying a personal data protection breach. Having such knowledge, after the risk analysis, the bank made a conscious and free decision not to report the breach and notify the data subjects, (iii) unsatisfactory cooperation with the data controller during the administrative proceedings.
The mitigating circumstances affecting the final amount of the fine, were namely: (i) the number of affected data subjects – two individuals. The bank processes the personal data of a very large number of customers, and two individuals affected should be considered small, (ii) actions taken by the controller to minimize harm to data subjects – sending information to the individuals (not fully in compliance with the GDPR), (iii) no previous violations – the authority has not identified any previous violations of GDPR provisions by the bank.
The controller of the data contained in the documents inside the correspondence is the entity sending them, and only he, as the sender, has knowledge of what data is transmitted in the shipment. The courier service provider does not have such knowledge. Indeed postal operators or courier service providers are controllers, but only of the data appearing on the envelope, i.e. the data of the senders and addressees, the data to the extent necessary for the proper delivery of the mail. The controllers shall pay attention to the risk analysis in connection with revealed incidents and act consistently with the results of such analysis. Sending incomplete notification to the data subject may be helpful and is taken into account as mitigating circumstance but first the controller shall consider what goal they want to achieve by sending such a letter.