Urbis sp. z o.o. – Violation Found (Poland, 2020)

Polish DPA received a letter from the State District Sanitary Inspector in Gniezno informing about the public disclosure of the list containing the addresses of residence of the persons who are in quarantine, which was ordered by an administrative decision and the mandatory quarantine in connection with the crossing of the country border, as well as the address data of persons undergoing home isolation in connection with a confirmed infection of coronavirus SARS-CoV-2. In the course of the proceedings, Polish DPA established that unauthorized disclosure of data took place in a waste management company. An employee of the company, responsible for supervising the printed list of addresses of people in quarantine, left it for a short time without proper supervision. At that time, there was also another employee of the company in the room - a driver, who, taking advantage of the fact that the person responsible for supervising the printed list was directed back to him, copied (recorded as a photo) the list. The driver was to be informed by the person supervising the printed list whether, as part of his or her work, waste is to be collected from the places on the above mentioned list. The driver then made this photo available to at least one person. The Polish DPA took steps to clarify the situation. It called the controller to clarify whether, in determining the procedures related to the processing of personal data concerning the addresses of persons under quarantine in connection with the coronavirus threat, it has carried out an analysis of the method of distribution of the above mentioned data in electronic and paper versions in terms of threats related to the loss of their confidentiality and to inform what the result of this analysis was. In the submitted explanations, the company stated, that it carried out the analysis taking into account the circumstances related to the processors' failure to comply with the procedures in force in the company and the circumst