At first, it examined whether the consent which was invoked by the controller concerned the delivery process. Then, the DPA moved on to a more detailed analysis related directly to the delivery. The above consideration allowed the DPA to assess that generally, the processing of the complainant’s data, including the processing of the complainant's personal data for the purpose of notifying her of the date of the meeting of the board was lawful as it was based mainly on the legal basis set out in Article 6(1)(b) of the GDPR. It was also necessary for the performance of the contract which was related to the complainant’s function as a member of the union. Processing was necessary due to employment relationship. It concluded that personal data was processed on the basis of Article 6(1)(b) and (c) of the GDPR. The DPA examined the legal basis of processing the complainant data by the controller. To make it easier for the courier to contact the complainant and because the data were necessary for the parcel to be delivered. The controller explained to the DPA that the complainant’s phone numbers were placed on the parcel due to two reasons. Also, the waybill contained name, last name and the phone number. Complainant’s first and last name, address, mobile and landline phone numbers were placed on the envelope. In connection with the scheduled meeting of the district board presidium, a parcel (correspondence) was sent to the complainant through the postal company. On one hand - the employment relationship, and on the other hand – she was a member of the union. In other words, the complainant had two separate legal relationships with the controller. The complainant also served as a member and secretary of the presidium of board of the controller by which she was employed. The complainant was an employee of the controller being an union (association). The controller made complainant’s data available to unauthorized persons by writing the mobile and landline telephone numbers on an envelope addressed to the complainant. The supervisory authority issued a warning to a controller for breaching Article 6(1) in conjunction with Article 5(1)(a), (b), (c) and (f) of the GDPR. The DPA’s decision which helps in determining the scope of data necessary to deliver the parcel was issued in September 2022 (it was not officially published by the DPA). Such scope and the DPA’s approach towards the subject may however be extracted from its decisions. The Polish Data Protection Authority (‘DPA’) has not published guidelines that would specify what scope of data may be disclosed to postal companies for the purpose of parcels delivery.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |