UODO (Poland) - DKN.5131.22.2021

From GDPRhub
UODO (Poland) - DKN.5131.22.2021
LogoPL.png
Authority: UODO (Poland)
Jurisdiction: Poland
Relevant Law: Article 5(1)(f) GDPR
Article 25(1) GDPR
Article 32(1)(b) GDPR
Article 32(2) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 13.07.2021
Published: 13.07.2021
Fine: 10000 PLN
Parties: n/a
National Case Number/Name: DKN.5131.22.2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Polish
Original Source: PREZES URZĘDU OCHRONY DANYCH OSOBOWYCH (in PL)
Initial Contributor: Maciej Niezgoda

English Summary

The Polish DPA (UADO) imposed an administrative fine of PLN 10,000 (approximately: €2,170) on the President of the District Court in Zgierz for failing to implement appropriate technical and organisational measures to ensure security, which resulted in the loss of a unencrypted USB-Stick containing (sensitive) personal data.

Facts

The President of the District Court (the controller) reported the loss of an unencrypted USB-Stick by a probation officer. This USB-Stick contained the personal data of 400 persons, subject to probation supervision. Besides names, dates of birth, addresses, data on convictions etc., the stick also contained sensitive data (health data).

The controller stated that he had implemented a system of rules to secure the protection of personal data (the Security Policy), updated the documentation constantly. To ensure the effectiveness of these measures, the controller provided stationary and e-learning trainings to all of the District Court's employees.

One of the rules forbade the use of private "information carriers" for processing business data. However, although users of USB-Sticks (like the probation officer) had the obligation to store the stick in a lockable work bag, measures like encryption and password protection of media, were not obligated. The user was, ultimately, responsible to implement appropriate safeguards for the storage on the USB-Stick. Lastly, although the controller claimed that the DPO conducted ad hoc checks, with additional system security evaluation by the IT department, he did not provide any evidence to the DPA that confirmed that such tests actually occurred.

Holding

The DPA found that the controller breached Article 5(1)(f), Article 24(1), Article 25(1), Article 32(1)(b) and (d), and Article 32(2) GDPR due to a lack of a reliably conducted risk analysis, combined with the lack of regular testing, measuring and evaluation of the effectiveness of the implemented technical and organisational measures to ensure the security of processing.

First, regarding the risk analysis, the DPA stated that, for the risk analysis, the controller should take into account the characteristics of the processes involved, assets, vulnerabilities, threats and existing safeguards as part of the processing of personal data taking place. The data controller determined that the loss of a USB-Stick was a "medium risk", which meant that "training for personnel on potential threats" was deemed a sufficient measure to reduce the risk to a "low level" risk. The DPA stated that such measures can not be regarded as sufficient. Nor do they suffice the requirement to put in place appropriate technical measures, since the controller obliged the users, like the probation officer that lost the USB-Stick, to implement technical safeguards on their own. Now, the user might not have enough technical knowledge to know how to implement such safeguards. Hence, ultimately, the lack of guidance resulted in the possibility for unauthorised persons to access the personal data processed on that medium.

Second, the DPA considered that the implementation ad hoc tests by the DPO, do not suffice the requirement of regular testing, since they are not "aimed at verifying the effectiveness of the implemented security measures. New risks may arise during the the implementation of individual processing activities. Hence, it is of utmost importance that such testing is carried out regularly, so that the results of these tests can be evaluated carefully.

It follows from the Polish DPA decision that by losing the memory stick, the President of the District Court committed a breach of, inter alia, the principle of confidentiality and integrity, as laid down in Article 5. Hence, the Polish DPA set an administrative fine of PLN 10,000, considering as a mitigating circumstance the good cooperation of the President of the District Court with the supervisory authority, undertaken and conducted in order to remove the violation and mitigate its possible negative effects.

Comment

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.


        
            
                
                THE CHAIRMAN OF PERSONAL DATA
            
            
                Warsaw, day 13
                July
                2021
            
        
        
            DECISION
                    
        DKN.5131.22.2021
        Based on Article. 104 § 1 of the Act of 14 June 1960 Code of Administrative Procedure (Journal of Laws of 2021, item 735), art. 7 sec. 1, art. 60, art. 102 paragraph. 1 point 1 and sec. 3 of the Act of May 10, 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781) and Art. 57 sec. 1 lit. a) and h), art. 58 sec. 2 lit. i), art. 83 sec. 1 - 3, art. 83 sec. 4 lit. a), art. 83 sec. 5 lit. a) in connection with Art. 5 sec. 1 lit. f), art. 24 sec. 1, art. 25 sec. 1, art. 32 sec. 1 lit. b) and d) and art. 32 sec. 2 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (general regulation on the protection of data) (Journal of Laws UE L 119 of 04.05.2016, p. 1, Journal of Laws UE L 127 of 23.05.2018, p. 2 and EU Official Journal L 74 of 4.03.2021, p. 35) ), after conducting administrative proceedings initiated ex officio on the processing of personal data by the President of the District Court in Zgierz (Zgierz, ul. Sokołowska 6), the President of the Office for Personal Data Protection & # 13;
finding that the President of the District Court in Zgierz infringed the provisions of Art. 5 sec. 1 lit. f), art. 24 sec. 1 Art. 25 sec. 1, art. 32 sec. 1 lit. b) and d) and art. 32 sec. 2 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (general regulation on the protection of data) (Journal of Laws UE L 119 of May 4, 2016, p. 1, Journal of Laws UE L 127 of May 23, 2018, p. 2 and Journal of Laws UE L 74 of March 4, 2021, p. 35) ) (hereinafter: Regulation 2016/679), consisting in the failure to implement by the President of the District Court in Zgierz appropriate technical and organizational measures ensuring a level of security corresponding to the risk of data processing using external portable memory, ensuring the security of personal data stored there, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, which resulted in the loss of external portable memory with personal data stored on it in a way seized, imposes on the President of the District Court in Zgierz for violation of Art. 5 sec. 1 lit. f), art. 25 sec. 1, art. 32 sec. 1 lit. b) and d) and art. 32 sec. 2 of Regulation 2016/679, an administrative fine in the amount of PLN 10,000 (in words: ten thousand zlotys). & # 13;
EXPLANATORY STATEMENT & # 13;
The Office for Personal Data Protection [...] February 2020 received a notification of a personal data breach signed by the President of the District Court in Zgierz (hereinafter: the President of the Court or the administrator), registered under the reference number [...], informing about a breach of personal data protection of 400 people , subject to probation and covered by the community interview by the probation officer, in terms of names and surnames, dates of birth, addresses of residence or stay, PESEL registration numbers, data on earnings and / or property, series and numbers of identity cards, telephone numbers, data concerning health and data on criminal convictions. The reported incident took place on [...] February 2020 and consisted in the loss of an unencrypted USB flash drive by a probation officer. In section 2A of the application form, the District Court in Zgierz was indicated as the data controller. & # 13;
Due to the scope of the disclosed personal data, the indicated breach resulted in a high risk of violating the rights or freedoms of natural persons. The administrator therefore informed that on [...] February 2020, it published on the website of the District Court in Zgierz, hereinafter referred to as the "Court", a notice of violation, indicating that "it is possible that someone will try to use the data stored there". He also asked for "vigilance, and in the event of obtaining information about any attempts to use the data at the Court's disposal - for immediate notification of law enforcement agencies and for contact with the District Court in Zgierz." & # 13;
By letters of [...] May and [...] July 2020, the President of the Office for Personal Data Protection (hereinafter also the President of the Office) requested another, correct notification of natural persons, because the message addressed to the data subjects did not meet the conditions specified in Regulation 2016/679 in terms of the description of the possible consequences of the breach of personal data protection and the description of the measures taken or proposed by the controller to remedy the breach - including, where applicable - measures to minimize its possible negative effects. & # 13;
In addition, by letters of [...] May and [...] July 2020, the President of the Office requested additional explanations, including: & # 13;
1. Whether and how probation officers were recommended to secure data stored on external storage media. 2. Has the personal data controller developed and implemented procedures for the use of external storage media and for securing personal data processed on external media outside the controller's seat. 3. Whether the lost storage medium was handed over to the curator by the administrator, or did it belong to the curator. 4. If the lost medium was the property of the probation officer, do the data controller's procedures allow for such a possibility and how is control over such processing of personal data exercised. & # 13;
In response to the request, on [...] August 2020, the Administrator informed about the posting of a supplemented message on the breach of personal data protection, and by a letter of [...] August 2020, it indicated that: & # 13;
1. Probation officers were recommended to comply with the data protection regulations in the Court and data protection procedures in individual interviews and during training meetings. He has developed and implemented procedures for the use of external storage media and the protection of personal data processed on external media outside his seat, and this procedure is part of the Information System Management Instruction at the District Court in Zgierz. 3. The lost storage medium was issued to the probation officer by the Court, while the Data Protection Regulations for the Court prohibit the use of private data carriers for the processing of official data. & # 13;
In connection with the presented explanations, by a letter of [...] September 2020, the President of the Office initiated administrative proceedings ex officio, due to the possibility of the District Court in Zgierz, as the data controller, breaching the obligations arising from Regulation 2016/679, i.e. Art. 5 sec. 1 lit. f), art. 24 sec. 1, art. 25 sec. 1 and art. 32 sec. 1 and 2, in connection with the breach of personal data protection (ref. […]). Moreover, the President of the Office called on the Court to present further explanations and documentation concerning: & # 13;
1. Indication of whether, before the infringement in question, the data controller defined the rules for the processing of personal data and the security measures applied using flash drives, and if so, what steps were taken by the controller to ensure the effectiveness of the introduced solutions, and in particular whether and how the was the verification of their compliance by persons with access to personal data, including probation officers. 2. Determining whether, and if so, how the lost medium has been protected against access to personal data processed using it. 3. Indication whether the security measures were implemented by the administrator before the medium was released for use, or whether the curator was obliged to apply them personally. 4. Provide information whether probation officers were acquainted with the implemented procedures and solutions before the violation in question occurred. 5. Indication of whether, prior to the occurrence of the personal data breach in question, the controller performed an analysis of the risk of a possible breach in this respect. 6. Providing information as to whether, and if so, when and how, the controller regularly tested, measured and assessed the effectiveness of technical and organizational measures to ensure the security of the processed personal data concerned by the breach. & # 13;
In response, the Administrator, in a letter of [...] October 2020, explained that before the infringement occurred, it had implemented a personal data protection system in the form of rules for the processing of personal data, which were set out in the Security Policy of the District Court in Zgierz and the IT System Management Instruction for data processing personal data at the District Court in Zgierz. This system has been operating in the administrator's structure since [...] November 2017, and the implemented documentation is constantly updated and audited by a data protection officer appointed for this purpose. According to the appendix no. 4 "Rules for the protection of data carriers after the update of [...] May 2018" attached to the letter, "it is forbidden to use and process business data with the use of private information media (including flash memory, CDs, USB flash drives). and external drives) ”. In order to ensure the effectiveness of the implemented solutions, the Court undertook activities in the form of stationary and e-learning training courses for employees of the Court (including probation officers), regarding the protection of personal data and records of the implemented documentation, duties performed by the data protection officer at the controller's seat, on- line and ad hoc controls carried out by the data protection officer during his on-call duty. & # 13;
As further pointed out by the Administrator, in accordance with the content of the IT System Management Instruction, the obligation to secure the medium rests with the user who secured it by storing it in a lockable bag, while after the violation in question, the procedure for issuing data carriers was updated by introducing recording, encryption and password protection on media. All employees of the Court, including probation officers, undergo training in the field of data protection and rules for dealing with data processed in the District Court in Zgierz. Trainings are conducted by an e-learning platform, after completing such training, the employee must pass the knowledge test, only after passing the test, the system generates a certificate and authorization to process personal data, an integral part of which is a declaration of reading the documentation, as well as in a traditional form, conducted by the data protection officer. The administrator also carried out a risk analysis of the possibility of this type of breach in the form of loss of equipment or media, defining the risk at an average level and indicating the need to reduce this risk, adopted as a sufficient measure limiting the possibility of materializing this risk in the form of training for staff on potential threats. & # 13;
In terms of regular testing, measuring and assessing the effectiveness of technical and organizational measures to ensure the security of personal data processed, in the context of the implementation of obligations arising from, inter alia, joke. 32 sec. 1 lit. d) of Regulation 2016/679, the Administrator indicated that the data protection officer, in consultation with the Director of the Court, carries out ad hoc checks in individual court departments during visits in accordance with the duty schedule. In special cases, the verification is performed at the request of the head of the department, while the testing, measurement and evaluation of system security and their effectiveness is carried out by the IT department. However, he did not provide documentation confirming the performance of any testing, measurement and evaluation of the effectiveness of the implemented technical and organizational measures. & # 13;
The administrator also indicated that after the violation in question, in accordance with the order No. [...] of the President of the District Court in Zgierz of [...] February 2020, all removable memories were secured with an encryption application. & # 13;
In connection with the above, on [...] March 2021, the President of the Office called on the Court to provide further explanations, in the form of an indication of the provisions constituting the legal basis for appointing a probation officer in relation to each of the cases assigned to him to conduct cases in which personal data were processed on the lost storage medium. & # 13;
In a reply sent to the supervisory authority on [...] April 2021, the Administrator indicated that the duties and powers of probation officers as well as the legal conditions for this function are specified in the Act of July 21, 2001. on probation officers (Journal of Laws of 2020, item 167), hereinafter referred to as the "Act on probation officers". After the amendment of February 21, 2019 and the addition of Art. 9a - probation officers are fully legitimized to collect and process information necessary in the cases entrusted to them. Supervisions were commissioned pursuant to § 2 of the Regulation of the Minister of Justice of 12 June 2003 on the detailed manner of exercising the rights and obligations of professional probation officers (Journal of Laws of 2014, item 795), while environmental interviews were commissioned to the probation officer in the following types of cases: & # 13;
- in matrimonial matters (Article 434 of the Act of November 17, 1964, Code of Civil Procedure (Journal of Laws of 2020, item 1575), hereinafter referred to as "the Code of Civil Procedure", in connection with Article 56 § 2, 58 § 1 and 61¹ § 2 of the Act of February 25, 1964, the Family and Guardianship Code (Journal of Laws of 2020, item 1359) - in cases for adjudication in important family matters (Art. 565¹ of the Code of Civil Procedure); - in custody of minors (Art. 570¹ of the Code of Civil Procedure); - in matters relating to the establishment of guardianship or guardianship and the enforcement proceedings conducted in order to determine the possibility or manner of custody or guardianship as well as the living conditions of the person concerned (Art. 570¹ª of the Code of Civil Procedure) ); - in cases concerning the adoption of a child (Article 9 of the European Convention on the Adoption of Children); - in the investigation and examination proceedings in juvenile cases (Article 24 of the Act of 26 October 1982 on proceedings in juvenile cases (Journal of Laws of 2018, item 969); - to determine the circumstances indicating abuse alcohol by the person concerned and disturbing the peace or public order, as well as their relationship in the family, behavior towards minors and work relationship (art. 30a of the Act of October 26, 1982 on Upbringing in Sobriety and Counteracting Alcoholism (Journal of Laws of 2019, item 2277); - in order to determine the living conditions of the person concerned and its functioning in the environment (Art. 42a of the Mental Health Protection Act of 19 August 1994 (Journal of Laws of 2020, item 685); - control interviews conducted by professional probation officers in the supervision of social probation officers and other authorized persons (art. point 4 of the Act on probation officers and § 5 point 2 of the Regulation of the Council of Ministers of June 12, 2003 on the detailed manner of exercising the powers and duties of probation officers (Journal of Laws of 2014, item 989). & # 13;
The Administrator further explained that the procedure for conducting interviews by a family probation officer was specified in § 6-8 of the Regulation of the Minister of Justice on the detailed manner of exercising the powers and duties of probation officers and in the Regulation of the Minister of Justice of August 16, 2001 on detailed rules and procedure for conducting probation officers. environmental interviews about minors (Journal of Laws of 2001, No. 90, item 1010). In addition, he indicated that the provisions of § 1 para. 1 and 2, § 2, § 3, § 4 and § 7 of the Regulation of the Minister of Justice of June 11, 2003 on the regulations of activities in the field of conducting an environmental interview and the model questionnaire for this interview (Journal of Laws of 2003, No. 108., item 1018). & # 13;
Pursuant to Art. 9b of the Act on probation officers, the administrator of data processed in order to perform tasks or duties by the probation officer is the president of the court in which the probation officer performs official duties. & # 13;
As is clear from the findings, the breach of personal data protection reported to the President of the Office and registered under reference number [...], consisted in the loss by the probation officer of an unencrypted portable flash drive, which was used to process the personal data of 400 people subject to probation and covered by the environmental interview by the probation officer, in terms of names and surnames, dates of birth, addresses of residence or stay, PESEL registration numbers, data on earnings and / or property, series and numbers of ID cards, telephone numbers, health data and data on criminal convictions. Thus, pursuant to the above-mentioned provision of the Act on probation officers, the administrator of data processed by the probation officer on a lost medium is the President of the District Court in Zgierz, and not the Court. & # 13;
In view of the above, in the letter of [...] May 2021, the President of the Office initiated administrative proceedings against the breach by the President of the District Court in Zgierz, as the data controller, of the obligations arising from Regulation 2016/679, i.e. Art. 5 sec. 1 lit. f), art. 24 sec. 1, art. 25 sec. 1 and art. 32 sec. 1 and 2, in connection with the above-mentioned breach of personal data protection (ref. DKN.5131.22.2021). Moreover, pursuant to Art. 123 § 1 and art. 75 § 1 of the Code of Civil Procedure in connection with joke. 7 sec. 1 of the Act on the Protection of Personal Data, the President of the Office issued [...] May 2021, a decision on the preparation of certified copies of the files of the proceedings with reference number [...], i.e. a notice of the initiation of administrative proceedings against the District Court in Zgierz on [...] September 2020 , replies of […] October 2020, requests for clarification of […] February 2021, replies of […] March 2021, requests for explanations of […] March 2021 and the responses of [...] April 2021, in order to include them in the procedure under reference DKN.5131.22.2021. & # 13;
After considering all the evidence collected in the case, the President of the Personal Data Protection Office considered the following: & # 13;
Article 5 of Regulation 2016/679 indicates the rules for the processing of personal data that must be respected by all administrators, i.e. entities designated by Union law or the law of a Member State and entities that independently or jointly with others determine the purposes and methods of personal data processing. Pursuant to Art. 5 sec. 1 lit. f) of Regulation 2016/679, personal data must be processed in a manner ensuring adequate security of personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, by appropriate technical or organizational measures ("integrity and confidentiality ”). & # 13;
Pursuant to Art. 24 sec. 1 of Regulation 2016/679, taking into account the nature, scope, context and purposes of processing as well as the risk of violating the rights or freedoms of natural persons of varying probability and seriousness, the controller implements appropriate technical and organizational measures to ensure that the processing is carried out in accordance with this Regulation and to be able to demonstrate it . These measures are reviewed and updated as necessary. & # 13;
The provision of art. 24 sec. 1 of Regulation 2016/679 defines the basic and main obligations of the controller, who is charged with the implementation of appropriate technical and organizational measures to ensure the compliance of processing with the requirements of Regulation 2016/679. This is, in particular, about the implementation of the principles set out in Art. 5 sec. 1 of the Regulation 2016/679. & # 13;
However, according to Art. 25 sec. 1 of Regulation 2016/679, taking into account the state of technical knowledge, the cost of implementation and the nature, scope, context and purposes of processing as well as the risk of violating the rights or freedoms of natural persons with different probabilities and severity of risks resulting from the processing, the administrator both in determining the methods of processing and during the processing itself - implements appropriate technical and organizational measures, such as pseudonymisation, designed to effectively implement data protection principles, such as data minimization, and to provide the processing with the necessary safeguards to meet the requirements of the regulation and protect the rights of data subjects concern (data protection by design). & # 13;
Pursuant to Art. 32 sec. 1 of Regulation 2016/679, taking into account the state of technical knowledge, the cost of implementation and the nature, scope, context and purposes of processing as well as the risk of violating the rights or freedoms of natural persons with different probabilities and severity, the controller and the processor implement appropriate technical and organizational measures to ensure the level of security corresponding to this risk, including, inter alia, the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services (point b), as appropriate, and regular testing, measurement and evaluation of the effectiveness of technical and organizational measures to ensure the security of processing ( letter d). & # 13;
Pursuant to Art. 32 sec. 2 of Regulation 2016/679, the administrator, when assessing whether the level of security is appropriate, takes into account in particular the risk associated with the processing, in particular resulting from accidental or unlawful destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data sent, stored or otherwise processed. & # 13;
The provisions of Art. 25 sec. 1 and art. 32 sec. 1 and 2 of Regulation 2016/679, along with art. 24 sec. 1 above of the regulation, thus constitute a specification of the provisions referred to in Art. 5 sec. 1 lit. f) Regulation 2016/679, the rules of integrity and confidentiality. & # 13;
Data confidentiality is a property that ensures, in particular, that data will not be disclosed to unauthorized entities, obtained, inter alia, through the use of technical and organizational measures adequate to the scope of the data, the context of processing and identified risks. The indicated principle, as results from the established facts, was violated by the President of the Court by issuing for official use to probation officers an unsecured portable storage medium and obliging them to implement security measures for this storage on their own, which as a result of the loss of such a medium by the probation officer resulted in the possibility of persons unauthorized access to personal data processed on this medium. As it was established, the only security used by the probation officer was storing the medium in a closed service bag. & # 13;
As indicated by the Provincial Administrative Court in Warsaw in the judgment of 3 September 2020, file number II SA / Wa 2559/19, "Regulation 2016/679 introduced an approach in which risk management is the foundation of activities related to the protection of personal data and is a continuous process. . Entities processing personal data are obliged not only to ensure compliance with the guidelines of the above-mentioned of the regulation through one-off implementation of organizational and technical security measures, but also to ensure the continuity of monitoring the level of threats and ensuring accountability in terms of the level and adequacy of the introduced security. This means that it becomes necessary to prove to the supervisory authority that the solutions introduced to ensure the security of personal data are adequate to the level of risk, as well as take into account the nature of the organization and the personal data processing mechanisms used. The administrator is to independently carry out a detailed analysis of the data processing processes carried out and perform a risk assessment, and then apply such measures and procedures that will be adequate to the assessed risk. & # 13;
The consequence of such orientation is the resignation from the lists of safety requirements imposed by the legislator in favor of the independent selection of security measures based on the analysis of threats. Administrators are not informed about specific security measures and procedures. The administrator is to independently carry out a detailed analysis of the data processing processes carried out and assess the risk, and then apply such measures and procedures that will be adequate to the assessed risk. "& # 13;
In the context of the judgment, it should be noted that the risk analysis carried out by the personal data administrator should be documented and justified on the basis of, first of all, the determination of the actual state of affairs at the time of its performance. In particular, the characteristics of the processes involved, assets, vulnerabilities, threats and existing safeguards as part of the ongoing personal data processing processes should be taken into account. The scope and nature of personal data processed in the course of activities carried out by the data controller cannot be overlooked during this process, because depending on the scope and nature of the disclosed data, the potential negative consequences for a natural person in the event of a breach of personal data protection will depend. & # 13;
The term asset is used to indicate anything of value to the data controller. Some assets will be worth more than others and should be assessed and secured from this perspective as well. The interrelationships of existing assets are also very important, e.g. the confidentiality of assets (personal data) will depend on the type and method of processing these data. Establishing the value of assets is necessary to estimate the effects of a possible incident (personal data breach). It is obvious that a wide range of personal data or the processing of personal data referred to in Art. 9 or article. 10 of Regulation 2016/679, may cause (in the event of a breach of personal data protection) far-reaching negative consequences for data subjects, so they should be assessed as high-value assets, and thus the level of their protection should be adequately high. & # 13;
It is necessary, inter alia, for this purpose, so as not to duplicate existing or applied safeguards to be specified. It is also essential to check the effectiveness of these security measures, because the existence of an unchecked security may eliminate its value, and may give a false sense of security and may result in the omission (undetection) of a critical vulnerability, which, if used, will have very negative consequences, including in particular lead to a breach of personal data protection. & # 13;
Vulnerability is commonly defined as a weakness or a security gap which, when exploited by a given threat, may interfere with functioning, and may also lead to incidents or violations of personal data protection. Identifying threats is determining what threats and from what direction (reason) may appear. & # 13;
The method of carrying out a risk analysis is, for example, defining the risk level as the product of the probability and the effects of the occurrence of a given incident. Typically, a risk matrix is used to visualize the levels of risk, representing the levels of risk for which the organization is defining appropriate activities. & # 13;
In order for the risk analysis to be carried out in a proper manner, for each of the assets the threats that may occur in data processing should be defined. & # 13;
Moreover, in order to fulfill the requirement of art. 32 sec. 1 lit. d) of Regulation 2016/679, indicated, moreover, in the above-mentioned judgment of the Provincial Administrative Court in Warsaw as an obligation to ensure the continuity of monitoring the level of threats and ensuring accountability in terms of the level and adequacy of the implemented security measures, the personal data administrator should regularly test, measure and evaluate the effectiveness of technical and organizational measures to ensure the security of processing. & # 13;
Risk management (conducting a risk analysis and, on this basis, implementing appropriate safeguards) is one of the basic elements of the personal data protection system, and, as the judgment cited above also indicates, is a continuous process. Therefore, periodic verification of both the adequacy and effectiveness of the applied security measures should take place. & # 13;
The risk analysis presented by the Administrator in the course of the administrative procedure, carried out before the violation in question, shows a score of 6 for the risk of "Losing equipment, carriers". According to the presented documentation, this is an average risk level, resulting in the need to implement security measures in order to reduce it to a low level (considered an acceptable level), and as a response to the risk, measures to mitigate this risk have been adopted and applied only in the form of "Training for staff on potential threats ". Of course, training on this type of subject is necessary and necessary, because it can, for example, increase the awareness of the staff. However, with regard to the scope and nature of the personal data processed in this case using this type of device, training is not an organizational measure that will allow to reduce to a low level or eliminate the risk of losing the medium. It will also not replace technical solutions that have not been provided for. However, according to the table presenting the result of risk assessment and the response to risk, depending on its amount, for the "Risk response" defined as "O - mitigation", the data controller provides for "Training, additional technical or organizational security", but in this case itself is limited only to training, while the actual securing of the carrier is left to its user, without indicating any examples, defined by the President of the Court as adequate safeguards that the employee may apply. Therefore, actions of this type cannot be considered as the implementation of appropriate technical or organizational measures in the context of Art. 24 sec. 1, art. 25 sec. 1 and art. 32 sec. 1 of Regulation 2016/679 (in particular to ensure the ability to ensure the confidentiality of data on an ongoing basis), because the employee, above all, cannot replace the data controller in the performance of his tasks under these provisions. In addition, the employee may not have the appropriate knowledge in this regard, ignore the need to secure the carrier (as was the case here - the court probation officer secured the carrier only by storing it in a sealed bag, which does not protect the carrier itself) or implement a security inadequate to the scope and nature of the data and the risks involved in this data processing. It should be emphasized that such an organized process of defining and implementing security measures for the processed personal data results in depriving the administrator of basic information necessary to properly conduct a risk analysis and on this basis to build an effective data protection system, necessary to ensure continuous data confidentiality, in accordance with the requirement resulting from in particular with Art. 32 sec. 1 lit. b) of Regulation 2016/679, because he will not have knowledge as to what safeguards exist in his organization, to what extent and for what threats they will be effective, and he will be deprived of information and the possibility of reacting to the implementation of security inadequate to the threats. In addition, one should also take into account the possibility of a new, previously unknown risk or threat that may materialize or arise during the implementation of a new security, especially if such implementation took place incorrectly. & # 13;
New risks or threats may materialize or be revealed also spontaneously, in a manner completely independent of the administrator, and this is a fact that should also be taken into account both when building a personal data protection system and during its implementation. This, in turn, defines the need to conduct regular verification of the entire personal data protection system, both in terms of adequacy and effectiveness of the implemented organizational and technical solutions. & # 13;
It should also be emphasized that the examination of the probability of a given event should not be based solely on the frequency of occurrence of events in a given organization, because the fact that an event did not occur in the past does not mean that it cannot occur in the future. & # 13;
The "Guidelines for the assessment of the likelihood and consequences of risk" presented in the course of the administrative procedure in the column "Consequences (impact) for the data subject" for each risk assessed from 1 (negligible) to 2 (low), 3 (medium), 4 (high) to 5 (very high) indicate the same consequences for a natural person in the form of: "loss of reputation, financial penalty, loss of a client, inability to provide services, legal consequences". However, in recitals 75 and 85 of the preamble to Regulation 2016/679, among the possible negative consequences for a natural person, the occurrence of physical damage, damage to property or non-property, such as: loss of control over own personal data or limitation of rights, discrimination, theft or falsification of identity, loss financial, unauthorized reversal of pseudonymization, breach of reputation, breach of confidentiality of personal data protected by professional secrecy, or any other significant economic or social harm. & # 13;
Therefore, it should be stated that the presented risk analysis was not carried out properly due to the identification of consequences of a breach of personal data protection inadequate for natural persons and the adoption of inappropriate security measures - exclusively organizational - with complete disregard of technical measures, e.g. in the form of memory stick encryption, aimed at risk reduction to an acceptable level. In addition, it should be stated that the solution adopted in this respect by the data controller (only employee training) undermines the effectiveness of the implemented personal data protection system, because, as indicated above, the result of the risk analysis should be an appropriate selection of both technical and organizational measures, i.e. specific measures that will minimize the identified risks. On the other hand, leaving the selection and implementation of security measures to the person who received an unsecured portable memory for use means that the President of the Court deprived himself of the basic data and key information necessary in the context of the performance of obligations under Art. 32 sec. 2 of the Regulation 2016/679. & # 13;
In this context, it should be noted that the Provincial Administrative Court in Warsaw, in its judgment No. II SA / Wa 2826/19 of August 26, 2020, stated that "(...) technical and organizational activities are the responsibility of the personal data administrator, but they cannot be selected in a completely free and voluntary manner, without taking into account the degree of risk and the nature of the personal data protected. "& # 13;
It should be emphasized that the President of the Court should not use unsecured portable memory devices for the proper performance of the obligations arising from the above-mentioned provisions of Regulation 2016/679. While allowing the possibility of processing personal data with their use, based on a properly conducted risk analysis, they should define and implement appropriate technical and organizational measures to ensure the security of personal data, and then regularly check the effectiveness of these measures. It should be pointed out again that pursuant to Art. 24 sec. 1, art. 25 sec. 1 and art. 32 sec. 1 and 2 of Regulation 2016/679, it is the data controller, and not an employee or a person performing official tasks, is obliged to implement appropriate technical and organizational measures so that the processing takes place in accordance with the requirements of the aforementioned regulation. This breach of personal data protection of natural persons took place as a result of failure to apply the protection of a portable storage medium, which made it possible to access personal data processed by unauthorized persons using it. & # 13;
As indicated by the Provincial Administrative Court in Warsaw in the judgment No. II SA / Wa 2826/19 of August 26, 2020 "This provision [art. 32 of Regulation 2016/679] does not require the data controller to implement any technical and organizational measures that are to constitute personal data protection measures, but requires the implementation of adequate measures. Such adequacy should be assessed in terms of the manner and purpose for which personal data are processed, but also the risk related to the processing of such personal data, which may vary in size, should be taken into account. (...) The adopted measures are to be effective, in specific cases some measures will have to be low risk mitigating measures, others - high risk mitigating measures, however, it is important that all measures (and each individually) are adequate and proportionate to the degree of risk. "& # 13;
In the order no. [...] of the President and Director of the District Court in Zgierz of [...] November 2017, adopted by the President of the Court, the Security Policy and the Instruction on the Management of the IT System for the Processing of Personal Data in the District Court in Zgierz do not indicate the regulations ensuring regular testing, measuring and assessing the effectiveness of the applied technical and organizational measures to ensure the security of data processing, which also contributed to the breach of personal data protection. & # 13;
Despite the request to present documentation confirming the actions taken by the administrator, in order to ensure the effectiveness of the introduced solutions and to confirm the regular testing, measurement and evaluation of the effectiveness of technical and organizational measures to ensure the security of personal data processed, the President of the Court, in a letter of [...] October 2020, limited only to conclude that the data protection officer carries out ad hoc checks in individual court divisions in accordance with the duty schedule, and the testing, measurement and assessment of system security and their effectiveness is carried out by the IT department without presenting, despite the request, any documentation confirming that type of action has been taken. & # 13;
Moreover, it should be noted that conducting "ad hoc checks" does not exhaust the features of regularity. In the opinion of the President of the Office, carrying out ad hoc checks, without adopting a procedure that specifies a schedule of activities ensuring regular testing, measurement and evaluation of the effectiveness of the implemented measures, is insufficient. Moreover, ad hoc actions are usually a reaction to emerging threats, materializing risks of occurrence of adverse events or situations, or a reaction to reported or disclosed gaps in the applied personal data protection system. However, they are not the result of planned activities aimed at verifying the effectiveness of the implemented security measures. Under no circumstances can you assign them the attribute of regularity as well. & # 13;
It should be emphasized that regular testing, measuring and evaluating the effectiveness of technical and organizational measures to ensure the security of processing is a fundamental duty of each administrator and processor resulting not only from Art. 32 sec. 1 lit. d) of Regulation 2016/679, but also from the fact that during the implementation of individual processing activities, new or previously unknown risks for the security of this processing may appear or arise. The administrator is therefore obliged to verify both the selection and the level of effectiveness of the technical measures used at each stage of processing. The comprehensiveness of this verification should be assessed through the prism of adequacy to risks and proportionality in relation to the state of technical knowledge, implementation costs and the nature, scope, context and purposes of processing. On the other hand, in the present state of facts, the President of the Court did not fulfill this obligation. & # 13;
Testing, measuring and evaluating the effectiveness of the adopted security measures in order to fulfill the requirement resulting from art. 32 sec. 1 lit. d) of Regulation 2016/679, must be performed on a regular basis, which means consciously planning and organizing, as well as documenting (in connection with the accountability principle referred to in Article 5 (2) of Regulation 2016/679) of this type of activities in specified time intervals, irrespective of e.g. changes in the organization and the course of data processing processes. However, the President of the Court did not take such actions. It should also be emphasized that leaving the choice of the method of securing the portable storage medium used for the processing of personal data and its implementation to the person who is its user deprives the administrator of knowledge about essential elements of the personal data protection system, which in turn prevents the proper implementation of the obligation specified in art. 32 sec. 1 lit. d) Regulation 2016/679. & # 13;
Therefore, the lack of a reliable risk analysis, combined with the lack of regular testing, measurement and evaluation of the effectiveness of the implemented technical and organizational measures to ensure the security of processing, and the failure to introduce technical and organizational measures securing personal data processed using portable storage media, led, which should be emphasized again, breach of data protection data, but also prejudices the violation by the President of the Court of the obligations incumbent on the data administrator, resulting from art. 24 sec. 1, art. 25 sec. 1, art. 32 sec. 1 lit. b) and lit. d) and art. 32 sec. 2 of Regulation 2016/679, and consequently also the principle expressed in art. 5 sec. 1 lit. f) Regulation 2016/679. & # 13;
It should also be emphasized that the referred to Art. 25 sec. 1 of Regulation 2016/679, despite the fact that the controller's obligation indicated therein is called "data protection at the design stage", it applies not only to the design stage, but also to the data processing stage itself. Implementation of security measures is a continuous process, not just a one-time action of an administrator. The measures mentioned therein, such as "data minimization" or "pseudonymization", are only an example of measures that should be applied in order to meet the requirement of implementing data protection principles and provide processing with the necessary safeguards to meet the requirements of the regulation and protect the rights of data subjects. concern. & # 13;
Therefore, it should be pointed out again that the obligation of each controller is to process data in accordance with the principles set out in Art. 5 of Regulation 2016/679, in this case in accordance with Art. 5 sec. 1 lit. f). & # 13;
In conclusion, despite the removal by the President of the Court of the deficiencies in the security of data processed with the use of portable storage media, including the use of encryption of these media, the lack of which resulted in the breach of the confidentiality of personal data, there were premises justifying the application to the President of the Court of the powers of the President of the Office to impose a penalty administrative for breach of the principle of confidentiality of data (Article 5 (1) (f) of Regulation 2016/679), in connection with the breach of the administrator's obligations when implementing technical and organizational measures during data processing, in order to effectively implement data protection principles (Article 25 (1) of Regulation 2016/679), obligations to ensure confidentiality, integrity, availability and resilience of data processing systems and services (Article 32 (1) (b) of Regulation 2016/679), obligation to regularly test, measure and evaluate the effectiveness of the adopted technical measures organizational and organizational measures to ensure the security of processing (Art. 32 sec. 1 lit. d) Regulation 2016/679) and the obligation to take into account the risk related to the processing resulting from unauthorized access to the processed personal data (Article 32 (2) of Regulation 2016/679). & # 13;
The exercise by the President of the Office of exercising his powers results mainly from the fact that the controller breached one of the basic principles of data processing, i.e. the principle of confidentiality, expressed in Art. 5 sec. 1 lit. f) Regulation 2016/679. & # 13;
Based on Article. 58 sec. 2 lit. i) of Regulation 2016/679, each supervisory authority has the power to apply, in addition to or instead of other remedial measures provided for in Art. 58 sec. 2 lit. a) - h) and lit. (j) of that regulation, an administrative fine pursuant to Article 83 of the Regulation 2016/679, depending on the circumstances of the specific case. & # 13;
When deciding to impose an administrative fine on the President of the Court, as well as determining its amount, the President of the Personal Data Protection Office - pursuant to Art. 83 sec. 2 lit. a) - k) of Regulation 2016/679 - took into account, and found it aggravating for the President of the Court, the following circumstances of the case: & # 13;
a) The nature and gravity of the infringement, the number of people injured (Article 83 (2) (a) of Regulation 2016/679). The violation found in this case, which resulted in the possibility of obtaining unauthorized access to the data processed by the President of the Court by a person or unauthorized persons, and as a consequence obtaining personal data of persons against whom actions were taken by the probation officer, is of considerable importance and serious nature, creates because there is a high risk of negative legal consequences for a large number of people whose data could have been accessed by a person or unauthorized persons. The breach by the President of the Court of the obligations to apply security measures to the processed data against their disclosure to unauthorized persons entails not only the potential, but also a real possibility of using this data by third parties without the knowledge and against the will of the data subjects, contrary to the provisions of Regulation 2016 / 679, e.g. in order to establish legal relations or enter into obligations on behalf of the persons whose data was obtained, mainly due to the wide range of personal data, i.e. names and surnames, dates of birth, addresses of residence or stay, PESEL registration numbers, personal data on earnings and / or property, series and numbers of ID cards, telephone numbers, health and criminal records relating to four hundred (400) natural persons under probation officer custody. b) Duration of the infringement (Article 83 (2) letter a of the Regulation 2016/679) knows the long duration of the infringement, because the introduction of recording of portable data carriers and the encryption of data processed with their use took place only after the President of the District Court in Zgierz issued the order No. [...] of [...] February 2020. However, it should be emphasized at the same time, that the consequences of violation of the provisions of Regulation 2016/679 by the data controller are still ongoing, because the lost, unsecured storage medium has not been found so far, so the unauthorized person or persons may still have access to personal data on this medium, which results in high the risk of violating the rights or freedoms of these persons. c) The extent of the damage suffered by the persons affected by the violation (Art. 83 sec. 2 lit. and Regulation 2016/679). In the present case, there is no evidence that persons accessed by an unauthorized person or persons suffered material damage. Nevertheless, the very breach of the confidentiality of their data is a non-pecuniary damage (harm) to them; natural persons whose data has been obtained in an unauthorized way may at least fear the loss of control over their personal data, identity theft or identity fraud, discrimination or financial loss. b of the Regulation 2016/679) Unauthorized access to personal data of persons against whom the probation officer took actions became possible as a result of failure to exercise due diligence by the President of the Court and undoubtedly constitutes an unintentional nature of the infringement. Nevertheless, the President of the Court, as the administrator, is responsible for any irregularities found in the data processing process. The fact that the President of the Court transferred the obligation to secure the carrier to the probation officer, did not verify whether the probation officer had secured it in any way, and did not carry out a test in terms of the effectiveness of this protection, deserves a negative assessment. In this state of affairs, the negligence of the President of the Court should be considered gross. 25 and 32 of Regulation 2016/679 (Article 83 (2) (d) of Regulation 2016/679). Pursuant to the above-mentioned provisions, it is the personal data controller that is primarily responsible for determining what technical and organizational measures will be appropriate in relation to the identified risks. violation of the rights or freedoms of natural persons, implementation of appropriate technical and organizational measures and the obligation to evaluate them at every stage of processing. In the case at hand, the administrator did not take any steps to fulfill the obligations arising from the above-mentioned provisions of Regulation 2016/679, i.e. it did not implement technical and organizational measures adequate to the risk level to ensure the confidentiality of the processed data, and moreover, it shifted this obligation to probation officers. The transfer of the obligations of the personal data administrator in the selection and application of appropriate technical measures to other persons resulted in the use of a technical measure in the form of storing a portable storage device in a closed business bag, and thus completely inadequate in relation to the state of technical knowledge, implementation cost and the nature of , scope, context and purpose of processing as well as the risk of violating the rights or freedoms of natural persons with different probability and severity of the risk. f) Categories of personal data affected by the violation (art. 83 sec. 2 lit. g). Breach of personal data protection in the form of names and surnames, dates of birth, addresses of residence or stay, PESEL registration numbers, data on earnings and / or property, series and numbers of ID cards, telephone numbers and data subject to special protection in accordance with art. . 9 of Regulation 2016/679 (health data), as well as data on criminal convictions and offenses referred to in art. 10 of Regulation 2016/679, may result in a wide range of negative effects for data subjects. As indicated in recital 75 of the preamble to Regulation 2016/679, "The risk of violating the rights and freedoms of persons, with different probability and severity of threats, may result from the processing of personal data that may lead to physical or material or non-material damage, in particular: if the processing may result in discrimination, identity theft or identity fraud, financial loss, damage to reputation, breach of the confidentiality of personal data protected by professional secrecy, unauthorized reversal of pseudonymisation or any other significant economic or social harm; if data subjects may be deprived of their rights and freedoms or the ability to exercise control over their personal data; if personal data revealing racial or ethnic origin, political opinions, religion or philosophical beliefs or trade union membership are processed and if genetic data, data concerning health or data concerning sexuality or criminal convictions and violations of the law or related security measures are processed (...) ". In turn, recital 85 of the preamble to Regulation 2016/679 shows that "In the absence of an appropriate and quick response, a breach of personal data protection may result in physical, property or non-material damage to natural persons, such as loss of control over own personal data or limitation of rights, discrimination, identity theft or falsification, financial loss, unauthorized reversal of pseudonymisation, breach of reputation, breach of confidentiality of personal data protected by professional secrecy or any other significant economic harm to society (…) ”. In addition, it should be noted that the processing of personal data of special categories, specified in art. 9 of Regulation 2016/679 and the data on convictions referred to in Art. 10 of Regulation 2016/679, due to its scope, and thus possible negative consequences of their disclosure, should result in the introduction of a much higher level of protection of this personal data. & # 13;
When determining the amount of the administrative fine, the President of the Personal Data Protection Office took into account, as a mitigating circumstance, which had an impact on reducing the amount of the imposed fine, good cooperation of the President of the Court with the supervisory authority, undertaken and carried out in order to remove the infringement and mitigate its possible negative effects (Article 83 par. 2 (f) of the Regulation 2016/679). It should be noted here that the President of the Court correctly fulfilled his procedural obligations during the administrative procedure, which ended with the issuance of this decision. The President of the Court also took specific and quick actions, the effect of which was to remove the possibility of an infringement. In particular, the President of the Court removed the susceptibility to violation of the protection of personal data being processed, within 8 days from the occurrence of the violation, he issued an order specifying new rules for dealing with portable memory devices, then within the next 14 days he introduced recording and encryption of the used portable memory devices and notified natural persons about the violation protect their personal data by posting a message about the identified personal data breach. & # 13;
The fact that the President of the Office applied in this case the sanctions in the form of an administrative fine, as well as its amount, did not apply to other sanctions indicated in Art. 83 sec. 2 of Regulation 2016/679, the circumstances: a) actions taken by the President of the Court in order to minimize the damage suffered by data subjects (Article 83 (2) (c) of Regulation 2016/679) - such actions have not been taken; b) relevant previous violations of the provisions of Regulation 2016/679 by the President of the Court (Article 83 (2) (e) of Regulation 2016/679) - no other violations of personal data protection were found; c) the manner in which the supervisory authority learned about the violation (Article 83 (2) (h) of Regulation 2016/679). According to Art. 33 paragraph 1 of Regulation 2016/679, in the event of a breach of personal data protection, the controller shall, without undue delay - if possible, no later than 72 hours after finding the breach - reports it to the supervisory authority. It is a fact that in the notification of a breach of personal data protection constituting the basis for initiating administrative proceedings, the District Court in Zgierz was indicated as the administrator of personal data, but it is also a fact that the President of the Court acted on behalf of the Court - it can therefore be assumed that it is this data administrator has sent a notification of a breach of personal data protection, so it should be considered that he has fulfilled the obligation indicated in the above-mentioned provision; d) compliance with the measures previously applied in the same case, referred to in Art. 58 sec. 2 of Regulation 2016/679 (Article 83 (2) (i) of Regulation 2016/679) - the measures indicated in art. 58 sec. 2 of Regulation 2016/679; e) application of approved codes of conduct pursuant to Art. 40 of the Regulation 2016/679 or approved certification mechanisms pursuant to Art. 42 of Regulation 2016/679 (Article 83 (2) (j) of Regulation 2016/679) - the approved codes of conduct have not been applied; . k) - no material gain or loss avoidance was found. & # 13;
Taking into account all the above-mentioned circumstances, the President of the Personal Data Protection Office decided that the imposition of an administrative fine on the President of the Court is necessary and justified by the weight, nature and scope of the violations alleged against the President of the Court. It should be stated that any other remedy provided for in Art. 58 sec. 2 of Regulation 2016/679, and in particular stopping at an admonition (Article 58 (2) (b)), would not be proportionate to the identified irregularities in the processing of personal data and would not guarantee that the President of the Court will not make further negligence in the future . & # 13;
Referring to the amount of the administrative fine imposed on the President of the Court, the President of the Office for Personal Data Protection decided that in the established circumstances of the case - i.e. in view of the violation of several provisions of Regulation 2016/679 (the principle of data confidentiality, expressed in Article 5 (1) f), and reflected in the obligations set out in Art. 25 sec. 1, art. 32 sec. 1 lit. b) and lit. d) and art. 32 sec. 2) and the fact that the President of the Court is a body of the public finance sector entity - Art. 102 of May 10, 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), which results in the limitation of the amount (up to PLN 100,000) of an administrative fine that may be imposed on a public finance sector entity. & # 13;
In the presented facts, the most serious violation by the President of the Court of the principle of confidentiality specified in Art. 5 sec. 1 lit. f) Regulation 2016/679. This is supported by the serious nature of the breach, the scope of the personal data subject to the breach and the group of people affected by it (400 - 400 people, the administrator of which is the President of the Court). Importantly, in relation to the above-mentioned number of people, there is still a high risk of unlawful use of their personal data, because the purpose for which a person or unauthorized persons may take action to use this data is unknown. & # 13;
In the opinion of the President of the Office, the applied administrative fine performs the functions referred to in Art. 83 sec. 1 of Regulation 2016/679, i.e. it will be effective, proportionate and dissuasive in this individual case. & # 13;
In the opinion of the President of the Office, the penalty imposed on the President of the Court will be effective, because it will lead to a state in which the President of the Court will apply such technical and organizational measures that will ensure the level of security for the data processed, corresponding to the risk of violation of the rights and freedoms of data subjects and the gravity of the threats accompanying the processes. processing of this personal data. The effectiveness of the penalty is therefore equivalent to the guarantee that the President of the Court, from the moment of the conclusion of these proceedings, will follow the requirements of the provisions on the protection of personal data with the utmost care. & # 13;
The applied administrative pecuniary penalty is also proportional to the infringement found, in particular its gravity, effect, the group of individuals affected by it and the very high risk of negative consequences that they incur in connection with the infringement. In the opinion of the President of the Office, the administrative fine imposed on the President of the Court will not constitute an excessive burden for him. The amount of the fine has been set at such a level that, on the one hand, it constitutes an adequate reaction of the supervisory authority to the degree of breach of the administrator's obligations, on the other hand, it does not result in a situation in which the necessity to pay it will entail negative consequences, in the form of a significant deterioration of the administrator's financial situation. . In the opinion of the President of the Office, the President of the Court should and is able to bear the consequences of his negligence in the field of data protection, hence the imposition of a fine of PLN 10,000 (ten thousand PLN) is fully justified. & # 13;
In the opinion of the President of the Personal Data Protection Office, the administrative fine will fulfill a repressive function in these specific circumstances, as it will be a response to the violation by the President of the Court of the provisions of Regulation 2016/679, but also preventive, as it will contribute to preventing future violations of the obligations of the President of the Court resulting from the provisions on the protection of personal data, both in the processing of data by the President of the Court himself and in relation to entities acting on his behalf. & # 13;
In the opinion of the President of the Personal Data Protection Office, the applied fine meets the conditions referred to in Art. 83 sec. 1 of Regulation 2016/679 due to the importance of the breaches found in the context of the basic requirements and principles of Regulation 2016/679 - in particular the principle of confidentiality expressed in Art. 5 sec. 1 lit. f) Regulation 2016/679. & # 13;
The purpose of the penalty is to ensure that the President of the Court complies with the provisions of Regulation 2016/679 in the future. & # 13;
Bearing in mind the above, the President of the Personal Data Protection Office resolved as in the operative part of this decision. & # 13;

        
        
            2021-07-22