UODO - DKN.5131.6.2020

From GDPRhub
UODO - DKN.5131.6.2020
LogoPL.png
Authority: UODO (Poland)
Jurisdiction: Poland
Relevant Law: Article 33(1) GDPR
Article 34(1) GDPR
Article 34(2) GDPR
Article 34(4) GDPR
Type: Investigation
Outcome: Violation Found
Decided: 05.01.2021
Published: n/a
Fine: 25000 PLN
Parties: n/a
National Case Number/Name: DKN.5131.6.2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Polish
Original Source: UODO (in PL)
Initial Contributor: Agnieszka Rapcewicz

The Polish DPA imposed a fine of €5,500 on the Silesian Medical University for a data protection breach in which the University failed to notify both the supervisory authority and the persons affected by the incident. In addition to the fine imposed, the supervisory authority also ordered the university to notify the persons affected by the data breach, which had occurred in connection with exams conducted in the form of videoconferencing on a special e-learning platform for this purpose.

English Summary[edit | edit source]

Facts[edit | edit source]

During the examinations held at the end of May 2020 in the form of videoconferencing, student identification took place. After the exam, the recordings of the exams were available not only to the examinees but also to other people with access to the system. Besides, using a direct link, any outsider could access the exam recordings and the data of the examined students presented during the identification.

The university had notified neither the DPA, nor the data subjects. The controller argued that it was not necessary to notify the UODO in relation to the breach because, in its view, the risk to the rights or freedoms of those affected by the incident was low.

Dispute[edit | edit source]

Did the data breach involve a high risk to data subjects and therefore should the university have notified the DPA and data subjects?

Holding[edit | edit source]

The Polish DPA found that the University violated Article 33(1) GDPR and Article 34, because it had notified neither the supervisory authority, nor the data subjects about the data protection breach. As a result UODO imposed a fine on the university in the amount of EUR 5,500.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.

Pursuant to Article 104 § 1 of the Act of 14 June 1960 Code of Administrative Procedure (Journal of Laws of 2020, item 256 as amended), Article 7 (1), Article 60 and Article 102 (1) (1) and (3) of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019. item 1781), as well as Article 57 (1) (a), Article 58 (2) (e) and (i), Article 83 (1) - (3) and Article 83 (4) (a) in connection with Article 33 (1) and Article 34 (1), (2) and (4) of Regulation EU 2016/679 of the European Parliament and of the Council of 27 April 2016. on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal of the EU L 119 of 4.05.2016, p. 1 and Official Journal of the EU L 127 of 23.05.2018, p. 2), hereinafter also referred to as "Regulation 2016/679", having conducted administrative proceedings concerning the failure of the Silesian Medical University in Katowice, 15 Księcia Józefa Poniatowskiego Street, to report a breach of personal data protection to the President of the Office for Personal Data Protection and the failure of the Silesian Medical University in Katowice, 15 Księcia Józefa Poniatowskiego Street, to notify of the breach of personal data protection to the persons affected by the breach, the President of the Office for Personal Data Protection
ascertaining the violation of the following provisions by the Medical University of Silesia in Katowice, ul. Książcia Józefa Poniatowskiego 15:

(a) Article 33(1) of Regulation 2016/679, consisting in the failure to notify the President of the Office for Personal Data Protection of a personal data protection breach without undue delay, no later than 72 hours after the breach was discovered,

(b) Article 34(1) of Regulation 2016/679, consisting in the failure to notify the data subjects of a personal data protection breach without undue delay,

1) imposes on the Silesian Medical University in Katowice, ul. Księcia Józefa Poniatowskiego 15, a fine of PLN 25,000 (in words: twenty-five thousand PLN),

2) orders to notify the data subjects of the personal data protection breach in order to provide them with the information required under Article 34(2) of Regulation 2016/679, i.e:

(a) a description of the nature of the personal data breach;

(b) the name and contact details of the Data Protection Officer or the designation of another contact point from which further information may be obtained;

(c) a description of the possible consequences of the personal data breach;

(d) a description of the measures implemented or proposed by the controller to address the breach, including measures to minimise its possible adverse effects,

within 3 days of the date on which this Decision becomes final.

Justification

The President of the Office for Personal Data Protection, hereinafter also referred to as "the President of the Office for Harmonization in the Internal Market", received information from several persons concerning a personal data protection infringement, including, inter alia, on [...] July 2020, from a person who lodged a related complaint. According to the information provided by that person, the breach consisted in making available on the [...] platform (in which 237 persons were registered as at [...].06.2020) recordings depicting the course of practical examinations in paediatrics organised by [...] of the Silesian Medical University in Katowice (hereinafter referred to as the "Administrator"), which took place on three dates: [...].05.2020, [...].05.2020 and [...].05.2020, with the majority of participating students being identified by a student card or ID card when taking the exam. The information (in which the Administrator is also referred to by the abbreviation: "AOD") also shows that "On [...].06.2020, one of the students informed the group leaders that recordings of all sections examined since the beginning of the exams had been uploaded on the aforementioned platform, which we did not expect as we were not warned that the recording would be made available to a wider group of people after we had been examined. As the recording was available to the public, information about the release of the recording was sent to each other within the student body, and alarmed students began to check that their ID card details were clearly visible. Many people logged on to the platform or sent each other links to the recordings. On the part of the AOD, there was no response, we did not receive any information about the mishandling of our personal data, so fearing that the recording would be deleted to cover up the incident of the security breach of our data, in order to secure evidence of the mishandling by the AOD, we decided to secure the file. In order to secure evidence to support our report, photographs were also taken of the computer screen where the recordings were paused and our colleagues' ID cards were visible. On checking the links, it was found that it was possible to view the recording after obtaining the link to [...] without logging in, which was evidence that our personal information visible in the videos had not been secured. The semester starter made a phone call to the [...] Exercise Manager to inform about the situation and to ask her to report it to UODO, as students were reporting their ID cards as restricted in banks and other institutions after the incident. After some time, we received information from the Head of the Department (...) that we, students, had stolen personal data, which had been leaked through our fault, and the person who had downloaded the file faced criminal liability". Furthermore, the information stated that 'It is not true that access to the recordings before they were hidden was available only to the users of the elearning platform assigned to the course - students and authorised University employees, because access to the recording for a period of at least several days (respectively from [...]. May 2020, [...].05.2020 or [...].05.2020 respectively) were also available to other persons - all students from groups 1-7 of the 6th year, persons doing homework, students from the Faculty of [...], as well as any person with a link to the recording. (...) The full circle of persons who could have gained access to our personal data, as well as the scope of personal data pertaining to specific persons whose data were accessed, is not known to us, because the AOD, questioning his responsibility for the breach of security of their processing, did not cooperate with us to clarify the circumstances of the incident. (...) The claim that only 26 people had access to the recordings is completely untrue. The letter of [...].06.2020 refers to an analysis of the secured evidence which would supposedly indicate that only 26 people had limited access. This information is so unreliable that it raises our doubts as to the reliability of the AOD in the case - who, after all, is an entity with an interest in not disclosing the fact of the breach committed by its employees. At this point I would like to clarify that each academic group has 26 students, while the disseminated recordings concerned exams of at least 6 groups from our semester. Moreover, the recordings were also available to students from the Faculty of [...] and people doing homework (approximately 200 people)". Moreover, according to the information provided by this person, "It is a fact that [...] initiated a 'data leak' mechanism, i.e. they reported the information about the breach of personal data security provided by the students to the Dean and the Rector, but ultimately the IODO appointed by the Administrator and the Rector (who is a 'decision-making unit', as the IODO put it) expressed the position that the incident of viewing by 200 people the ID cards of some 100-150 other people is not a leak of personal data".

In connection with the above information about the breach of the confidentiality of the personal data of the majority of the students participating in these examinations, with regard to the data on their student cards or ID cards, on [...] July 2020. The President of the Office for Personal Data Protection, pursuant to Article 58(1)(a) and (e) of Regulation 2016/679, asked the Controller to clarify whether, in connection with the incident, an analysis of the incident in terms of the risk of infringement of the rights and freedoms of natural persons necessary to assess whether a data protection breach resulting in the need to notify the President of the Office for Personal Data Protection and the persons affected by the breach had been carried out. In the letter, the President of the DPAO indicated to the Administrator how he could notify the breach and called for explanations within 7 days from the date of receiving the letter.

It results from the response to the above, which the Administrator submitted by letter dated [...] August 2020, that the personal data protection breach consisting in the disclosure of personal data to unauthorised recipients took place. The letter also shows that the Controller assessed the incident in terms of the risk of infringement of the rights or freedoms of natural persons. The Administrator indicated that "Logs and information on persons, who downloaded the recordings, have been secured (...) The findings indicate that the security mechanisms of the e-learning platform have not been broken and no so-called data leakage occurred. Moreover, on the basis of analyses carried out by the Administrator of the e-learning platform and the [...] Department, it was determined that the recordings were downloaded by 26 persons known to the University by name - members of the University community, i.e. (examined students of a given course and academic teachers), who are individually responsible for not disseminating them. In view of the scope of the release of the said recordings limited only to the participants of the examination and the low probability of infringement of the rights and freedoms of the data subjects, the University waived the obligation to report the infringement to the Office for Personal Data Protection referred to in Article 33(1) of the RODO Regulation." The controller also stated in the letter that "the Dean of the Faculty [...] has been instructed that in the event of becoming aware of unethical use of data by students or employees, there are prerequisites for the implementation of disciplinary proceedings referred to in Article 275 and Article 307 of the Act of 20.07.2018. Law on Higher Education and Science (i.e. Journal of Laws of 2020, item 85, as amended)". Furthermore, the explanations in this letter show that "The Administrator of the e-learning Platform has developed a proprietary fix to the system [...] preventing students from downloading videos. Downloading videos is a normal functionality of the system (it does not belong to hacking activities or vulnerabilities of the system) for logged-in students and is recorded - the created virtual room is available only for the examined group and only these people have access to the recorded material. The instructor's error was in not disabling the room and accessing it after the exam was over." As can be seen from the above, the Administrator concluded that the breach was unlikely to result in a risk of infringement of data subjects' rights or freedoms.

In relation to the above-mentioned letter - due to the assessment of the risk of infringement of rights or freedoms of data subjects contained therein, the President of the DPA, in a letter dated [...] September 2020, informed the Controller that, pursuant to Article 33(1) of Regulation 2016/679, in case of a personal data breach, the controller shall, without undue delay - if possible, not later than 72 hours after the breach is identified - notify it to the supervisory authority competent pursuant to Art. 55, unless the breach is unlikely to result in a risk of prejudice to the rights or freedoms of natural persons and that a notification submitted to the supervisory authority after the expiry of 72 hours shall be accompanied by an explanation of the reasons for the delay. Furthermore, he pointed out to the Administrator that "In assessing whether a breach results in a risk of infringement of the rights or freedoms of individuals, the contents of, inter alia, recitals 75 and 85 of the aforementioned Regulation should be taken into account. Furthermore, the Article 29 Working Party, in its Guidelines on Notification of Personal Data Breaches under Regulation 2016/679 (WP250rev.01), indicated that the Controller, when assessing the risk to individuals resulting from a breach, should take into account the specific circumstances of the breach, including the gravity of the potential impact and the likelihood of its occurrence, and recommended that the criteria indicated in those Guidelines should be taken into account during the assessment. The above-mentioned Guidelines also clarified that when assessing the risk that may arise from a breach, the controller should take into account the gravity of the potential impact on the rights and freedoms of individuals and the likelihood of its occurrence together. Obviously, the risk increases when the consequences of the breach are more serious, as well as when the likelihood of their occurrence increases. In case of any doubt, the controller should report the breach, even if such caution could prove to be excessive. It should be noted that the above-mentioned recordings show, among other things, students' IDs and student cards, therefore it should be assessed what kind of data has been made available to unauthorised persons and, consequently, what the risk of violation of rights or freedoms of natural persons is. At the same time, pursuant to Article 58(1)(a) and (e) of Regulation 2016/679, the President of the Office for Harmonisation in the Internal Market called on the Administrator to provide, within 7 days from the date of the delivery of the letter, information on whether, in connection with the incident, a new analysis of the incident in terms of the risk of infringement of the rights and freedoms of natural persons was performed, which is necessary to assess whether a data protection breach resulting in the need to notify the President of the Office for Personal Data Protection and the persons affected by the breach has occurred, and, if so, whether the results of the re-performed analysis are identical to the results of the administrator's previous assessment of the aforementioned incident.

In a response dated [...] September 2020. The Administrator informed the President of the DPA that "(...) since the date of the first explanations (...) until today, the University has not received any additional information directly influencing the factors determining the need to conduct a new risk analysis of the incident, the possible escalation of which was immediately, effectively and technically stopped. Additionally, I would like to clarify that the recordings of the course of the examination were available to the students of the marked year of one course and the lecturers teaching the course, where as far as the knowledge of the identity of the data subjects is concerned such information is mutually available. However, it is indisputable that the scope of data that could be downloaded by the abovementioned group of persons was wider, nevertheless, effective measures were taken to block this infringement along with original IT reprogramming of the e-learning platform functionality. Due to the fact that the recordings could be downloaded by the above-described group being a separate part of the academic community, the risk of infringement of rights and freedoms of data subjects was assessed as low". The explanations were accompanied by a letter in which the then Rector instructed the Dean of Faculty to provide all students with, among other things, the information that "5. If you are aware of circumstances of unethical use of personal data by students or staff I kindly ask you to provide me with such information in writing together with supporting evidence. If the above information about a breach of security is confirmed, I kindly request that the relevant disciplinary ombudsman be requested to initiate an investigation and, if justified, a subsequent disciplinary procedure with all sanctions provided for by law, including removal from the list of students or termination of employment, as well as the University's legal obligations, in particular to notify the relevant law enforcement authorities." It also appears from the above-mentioned letter from the Administrator that "The University has not received any information in relation to para. 5 of the cited letter, which could be relevant to the case and implying the necessity of re-examination. It is important to emphasise that every student of the Medical University of Silesia in Katowice is obliged to respect the dignity of every human being, and in particular, each other within the academic environment. Such an obligation is known to students and expressed in the Study Regulations of the Medical University of Silesia in Katowice and is confirmed by the signature of each student. Moreover, students are obliged by the Statute of the University to observe internal regulations binding at the University (norms, rules of coexistence and academic customs), including in particular those concerning protection of privacy. Bearing in mind the above-mentioned obligations of students and other members of the academic community with regard to reporting information security incidents, the University did not receive any information which could have an impact on changing the level of risk or which would require taking other technical and organisational measures expanding the catalogue of actions taken".

Moreover, on [...] September 2020. In addition, on [...] September 2020, the Administrator sent a letter to the President of the Office for Personal Data Protection concerning complaints against the Administrator in connection with the incident, in which the Administrator informed that "The analysis of the complaints (...) indicates that the blank standardised content of the complaint and, what is more important, attachments presented therein (including correspondence and screenshots) were shared by the initiator(s) of individual complaints or were made available by the author of the content of the standardised complaints to an unspecified group of students, which in the light of the above-mentioned context makes the Administrator responsible for dissemination of the information. which makes him, in the light of the above context, responsible for dissemination of information in an uncontrolled manner (blank template with attachments). Therefore, no such fault can be attributed to the Medical University of Silesia in Katowice, which took all available and possible effective measures (...) to block this infringement along with original IT reprogramming of the e-learning platform functionality. The above makes the bearer of the blank complaint template the sole owner of the risk of infringement of rights and freedoms of persons whose data is included in the attachments, because according to the explanations provided by the University, only 26 persons known to the University by name had access to the recordings made available within the group of students, and what is important, the list of persons that I enclose to this letter does not correlate with the personal data of the complainants. Therefore, the complainants who do not appear on the attached list were not able to obtain the recording of the examination directly from the University's e-learning system, but if this took place, secondarily probably falling victim to manipulation".

In view of the failure to report the breach of personal data protection to the President of the Office for Personal Data Protection and the failure to notify the affected persons of the breach of personal data protection, on [...] October 2020 The President of the Office for Personal Data Protection initiated administrative proceedings against the Administrator (reference letter: [...]).

In response to the above, in a letter dated [...] October 2020, the Administrator explained that he considered that "it is unlikely that the breach in question would result in a risk of infringement of the rights and freedoms of natural persons for the following reasons:

1. (...) the recordings were accidentally made available on the e-learning platform of the Silesian Medical University as a result of an information security incident, which consisted in the failure to close the videoconference room where the exam was conducted by an employee error [...]. Lack of closure of the videoconference room, in which the exam was recorded, resulted in the fact that after the e-learning platform finished rendering, a file with the recording of the exam was published automatically by the system in this room (available for logged-in users). Within the framework of the undertaken actions, the administrator of the platform developed an author's correction for the [...] system, which makes it technically impossible to repeat the situation that occurred.

2. the abovementioned file with the examination course was accessible only to logged-in students of a specific field and year of study - the analysis of system logs shows that there were 240 persons (...)

3. the examination file was downloaded by 26 persons, which is the actual scope of access. Among the 26 persons mentioned above, there are 2 academic teachers and one e-learning platform administrator. (…)

The analysis of the recordings of the exams shows that the IDs were presented by the students sporadically and only the first page with a photograph was presented (which refers to a possibly wider range of data disclosed by the student than the data processed during the exam: image, voice, name, surname, information about the group, year of study, major, subject and the answers given during the exam).

Most importantly, many of the presented documents were completely illegible due to the quality of students' connections, and in other cases the quality can be described as borderline legible (...)

(6) Additionally, I would like to point out that the generated recording, which could be accessed by students via an online streaming player embedded in a web browser, could also, due to the quality of the recipient's connection, be of lower quality than described in the previous point - most likely completely blurred and unreadable.

7 The context of the processing is also worth mentioning, as if the oral examination was conducted in a traditional form, a given student group would have access or be able to view the same range of data of the examined Student. The difference lies only in the remote form of education and the incident, the occurrence of which gave the possibility to play the recording of the aforementioned 26 persons logged into the elearning platform - members of the academic community".

In the letter, the Administrator further explained that "(...) the University in accordance with Article 76a of the Act of 20 July 2018. - Law on Higher Education and Science (Dz.U. 2018 item 1668 as amended), which was added by the Act of 16.04.2020. (Dz.U. z 2020 r. poz. 695), from [...].04.2020 it could organise the verification of the achieved learning outcomes specified in the study programme, in particular conduct credit and final examinations of specific courses and diploma examinations, outside the seat of the university or outside its branch using information technology ensuring their control and registration. In connection with the abovementioned legal basis and the changed examination method, an academic teacher had to verify the identity of the examination participant in order to ensure the proper conduct of the examination". It was also emphasised that "(...) the University has set up a number of information channels through which students could obtain information about the incident on an individual or anonymous basis, which, however, the complainants did not use (...). The aforementioned information channels obviously do not replace the obligations set out in Article 34 of the RODO, however, they give the students an opportunity to present additional information, reports, concerns and other circumstances which could result in a change of the assessment of the risk of infringement of rights and freedoms of the data subjects, and thus imply undertaking information activities by the Controller both towards students and the Office for Personal Data Protection within the statutory deadline".

Having reviewed all the evidence gathered in the case, the President of the Office for the Protection of Personal Data considered the following:

According to Article 4(12) of Regulation 2016/679, "personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, modification, unauthorised disclosure of, or unauthorised access to, personal data transmitted, stored or otherwise processed.

Article 33(1) and (3) of Regulation 2016/679 provide that in the event of a personal data breach, the controller shall, without undue delay - where possible, no later than 72 hours after the breach is identified - notify it to the supervisory authority competent under Article 55, unless the breach is unlikely to result in a risk of prejudice to the rights or freedoms of natural persons. A notification submitted to the supervisory authority after the expiry of the 72 hour period shall be accompanied by an explanation of the reasons for the delay. The notification referred to in paragraph 1 shall at least (a) describe the nature of the personal data breach including, as far as possible, the categories and approximate number of data subjects and the categories and approximate number of personal data records concerned by the breach; (b) include the name and contact details of the data protection officer or other contact point where more information can be obtained; (c) describe the possible consequences of the personal data breach; (d) describe the measures implemented or proposed by the controller to address the personal data breach, including, where applicable, measures to mitigate its possible adverse effects.

In turn, Article 34(1) of Regulation 2016/679 indicates that where a personal data breach is likely to result in a high risk of harm to the rights or freedoms of natural persons, the controller shall, without undue delay, notify the data subject of the breach. According to Article 34(2) of Regulation 2016/679, a proper notification shall:

1. describe in clear and plain language the nature of the personal data breach;

2. contain at least the information and measures referred to in Article 33(3)(b), (c) and (d) of Regulation 2016/679, i.e:

a. the name and contact details of the Data Protection Officer or the designation of another contact point from which further information can be obtained;

b. a description of the possible consequences of the personal data breach;

c. a description of the measures implemented or proposed by the controller to address the personal data breach, including, as appropriate, measures to minimise its possible adverse effects.

In the case at hand, a breach of personal data protection occurred in the form of making available, on the [...] platform, recordings of practical examinations, in the course of which most of the participants - students - were identified by a student card or an ID card. The administrator did not dispute that such a situation occurred - he even indicated in his explanations that, quote: "(...) the academic teacher, in order to ensure the proper conduct of the examination, had to verify the identity of the examination participant". However, the administrator argued that, quote: "(...) ID cards were presented by the Students sporadically and only the first page with a photograph was presented (which refers to a possibly wider range of data disclosed by the Student than that processed during the examination: image, voice, name, surname, information about the group, year of study, faculty, subject and answers given during the examination)". Referring to the above, it should be pointed out that the data visible on the first page of the identity card (depending on the moment of its issue, as at present there are three different models of ID cards in circulation), apart from: a photograph, first names, surname, date of birth and sex, additionally include:

1) for ID cards issued before 1 March 2015: family name, parents' names, signature, ID card number and expiry date,

2) for identity cards issued from 1 March 2015 to 3 March 2019: family name, parents' names,

3) for identity cards issued after 4 March 2019: nationality, identity card number and expiry date.

In addition, the Administrator did not address the issue of the data visible on the student cards that students presented in connection with taking the examination. According to:

1) the Regulation of the Minister of Science and Higher Education of 14 September 2011 on the documentation of the course of studies (Journal of Laws of 2011, item 201, No. 1188, as amended. - in force since 1 October 2011, repealed on 1 October 2016),

2) Regulation of the Minister of Science and Higher Education of 16 September 2016 on the documentation of the course of studies (Journal of Laws 2016, item 1554, as amended. - in force as of 1 October 2016, repealed as of 1 October 2018), which specify the template of the electronic student card, the card shows: a colour photograph of the card holder, the name of the university, first name, surname, address, date of issue, album number, PESEL number (and in the case of foreigners: date of birth, respectively). However, according to the currently binding regulation of the Minister of Science and Higher Education of 27 September 2018 on studies (Journal of Laws of 2018, item 1861, as amended. - in force since 1 October 2018), such a card contains all the aforementioned data except for the student's address.

In the explanations submitted, the Administrator indicated that the recorded data on the above-mentioned documents may have remained illegible or only partially legible. This statement may raise doubts in the context of the purpose for which these documents were presented, i.e. verification of the identity of the person taking the examination. Furthermore, the fact that the data may have been partially legible does not exclude the possibility that an unauthorised person may have read it. Finally, the existence of programmes enabling the appropriate processing of photographs or recordings in such a way as to make it possible to read the data cannot be disregarded. All these circumstances, as significant ones, should be taken into account by the Controller when assessing whether a personal data protection breach occurred, what was its scale and whether it potentially posed a risk of infringing the rights or freedoms of data subjects, and whether the risk was high. However, as it results from the explanations provided, the controller did not do it.

It should also be stressed that in the case at hand it is not important whether the unauthorized recipient actually came into possession of and became acquainted with personal data of other persons, but that such a risk occurred and, consequently, the risk of infringement of rights or freedoms of data subjects also potentially occurred. In his explanations, the controller emphasised that he had not received any information indicating any unauthorised use of the personal data provided as a result of the breach in question. Therefore, he considered that the breach did not involve the risk of infringement of rights or freedoms of the persons affected by it. It is worth stressing that the controller foresaw that the breach might involve such a risk - it is evidenced by the fact that the controller asked for information on possible unauthorised use of the personal data provided and threatened with consequences that such use might entail (disciplinary proceedings, expulsion from the list of students, termination of employment relationship, notification of law enforcement bodies). Making the reaction to a breach dependent on the occurrence of its potential consequences is contrary to the principle according to which the controller is supposed to counteract the consequences of the breach or minimize its negative effects (when it is no longer justified to apply measures preventing them). It should be stressed that the possible consequences of the occurrence do not have to materialise - Article 33(1) of Regulation 2016/679 indicates that the mere occurrence of a personal data breach involving a risk of infringement of the rights or freedoms of natural persons implies the obligation to notify the breach to the competent supervisory authority. Therefore, the circumstance raised by the Controller that, quote: "no information has been received by the University which may affect the change of the risk level or which requires other technical and organisational measures extending the catalogue of actions taken" is not relevant for the determination of the existence of the obligation on the part of the Administrator to notify the personal data protection breach in question to the President of the DPA, pursuant to Article 33(1) of Regulation 2016/679. 

In the present case, there was a risk of unauthorised possession of personal data by as many people as had potential access to it. This is at least as many people as were registered on the platform, as the information received by the Office herein shows that it was "possible to view the recording after obtaining a link to [...] without logging in". The explanations submitted by the Administrator on [...] September 2020 also indicate that a wider group of persons than assumed by the Administrator gained access to the recordings in question. It should also be stressed that the fact that the file containing the recording in question may be opened by anyone, downloaded or further shared leads to an increase in the scale of the breach and thus to a risk of infringement of the rights or freedoms of data subjects.

In view of the above, it should be concluded that as a result of the incident in question, the confidentiality of the data of persons who, while taking examinations, had student cards or ID cards visible in the recording in question was breached - as regards the data contained in these documents - i.e. there was a breach of security leading to accidental, unauthorized disclosure of the data of these persons, which unambiguously determines that there was a breach of personal data protection. It is also worth pointing out that, as a result of the incident, unauthorised recipients had access, apart from the data on the documents they showed, to information concerning the student: about the group, year of study, course, subject and answers given during the examination.

It should be stressed that the breach of data confidentiality that occurred in the present case, in connection with the breach of personal data protection consisting in making available, on the [...] platform, recordings showing the course of practical examinations, in the course of which the majority of the participating students were identified with student identity cards or ID cards, as a result of which the confidentiality of the data of these students was breached as regards the data on their student identity cards or ID cards, results in a high risk of infringement of the rights or freedoms of natural persons. As the Article 29 Working Party points out in the Guidelines for reporting personal data breaches under Regulation 2016/679, hereinafter also referred to as , the Guidelines: "This risk exists where the breach is likely to lead to physical harm or property or non-property damage to the individuals whose data has been breached. Examples of such harm include discrimination, identity theft or falsification, financial loss and damage to reputation". There is no doubt that the examples of harm referred to in the Guidelines may occur in the case of persons whose personal data - in some cases including their PESEL registration number or identity card series and number - have been recorded in the recordings made available. The possibility to easily, on the basis of disclosed data, identify persons whose data have been infringed is not without significance for such an assessment. In the case in question, there were revealed recordings on which images and voices of students were recorded, who, when taking exams, presented student identity cards or ID cards containing the above mentioned personal data - in some cases also PESEL identification number or series and number of ID card in combination with other data. In addition, by making these recordings available to unauthorised persons, other data was disclosed, such as quote: "(...) information about the group, year of study, course, subject and the answers given during the examination".  Consequently, this means that there is a high risk of infringement of the rights or freedoms of the persons affected by the breach in question, which in turn gives rise to an obligation on the part of the Controller to notify the personal data breach to the supervisory authority in accordance with Article 33(1) of Regulation 2016/679, which must contain the information set out in Article 33(3) of that Regulation, and to notify those persons of the breach in accordance with Article 34(1) of Regulation 2016/679, which must contain the information set out in Article 34(2) of that Regulation.

The above assessment is not affected by whether the file containing the recording of the exams in question was downloaded by twenty-six persons, a number indicated by the administrator in the explanations submitted. There is no certainty that the file was not subsequently made available to other unauthorized recipients, whereas the administrator cannot hold the persons to whom the recordings were made available responsible for the infringement. It is worth stressing again that the information received by the President of the Office for Harmonisation in the Internal Market (OCCP) in connection with the incident shows, among other things, that there was a 'possibility to watch the recording after obtaining a link to [...] without the necessity to log in'. Even if it were to be assumed that only the above-mentioned twenty-six persons had the possibility to get acquainted with the personal data depicted in the made available recording, the fact that these persons had any relationship with the Administrator does not give any guarantees as to the intentions of these persons, and the possible consequences of using such categories of data may be significant for the persons whose data was affected by the breach. The aforementioned guidelines state: , "Whether a controller knows that personal data is in the hands of persons whose intentions are unknown or who may have bad intentions may be relevant to the level of potential risk. There may be a breach of data confidentiality whereby personal data are accidentally disclosed to a third party, as defined in Article 4(10), or to another recipient. This could occur, for example, if personal data are accidentally sent to the wrong department of an organisation or to a supplier organisation whose services are commonly used. The controller may request the recipient to return or securely destroy the data received. In both cases - due to the fact that the controller has an ongoing relationship with these entities and may know their procedures, history and other relevant details about them - the recipient can be considered 'trusted'. In other words, the controller can trust the recipient sufficiently to reasonably expect that this party will not read or see the data sent in error and will comply with the order to return them." In the present case, however, there are no grounds to consider and treat unauthorised recipients as "trusted recipients", which prejudges the existence of a risk of violation of rights or freedoms for the persons affected by the infringement in question. Furthermore, the WP29 guidelines clearly indicate that "in case of any doubt, the controller should report the breach, even if such precaution could prove to be excessive".

It is also irrelevant that 'as part of the measures taken, the Platform Administrator developed a copyright amendment to the system [...], which makes it technically impossible to repeat the situation'. The data were made available to unauthorised persons, which means (which should be stressed again) that there was a breach of security leading to unauthorised disclosure of personal data, and the scope of the data (including, in some cases, also the PESEL identification number or series and number of ID card) determines that there was a high risk of violation of rights or freedoms of natural persons. The development and implementation of such amendment should be considered as a measure taken by the Controller in order to minimize the risk of such violation in the future, and not as a measure minimizing the risk of violation of rights or freedoms of the individuals to whom the data refer. Also, the fact that the controller determined who were the persons who downloaded the file containing the recordings in question does not minimise the risk of infringement of rights or freedoms of the data subjects. At the same time it should be stressed that the controller allowing for the possibility to use such means of communication as the means used to carry out the examinations in the case in question should be aware of the risks related to e.g. inadequate security of the recordings against unauthorised access and should take appropriate organisational and technical measures to minimise them. The existence of these risks, in the absence of the controller's actions aimed at their minimisation by the implementation of appropriate organisational and technical measures, leads directly to the risk of violation of the rights or freedoms of natural persons.

In the situation when, as a result of a personal data breach, there is a high risk of infringement of the rights and freedoms of natural persons, the controller shall be obliged to implement all appropriate technical and organizational measures to immediately identify the personal data breach and to promptly inform the supervisory authority as well as the data subjects. The controller should comply with this obligation as soon as possible.

Recital 85 of Regulation 2016/679 explains: "In the absence of an adequate and timely response, a personal data breach may result in physical harm, material or non-material damage to individuals, such as loss of control over their own personal data or restriction of rights, discrimination, identity theft or falsification, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, breach of confidentiality of personal data protected by professional secrecy or any other significant economic or social harm. Therefore, as soon as a controller discovers a personal data breach, it should notify it to the supervisory authority without undue delay, where feasible, no later than 72 hours after the breach is identified, unless the controller is able to demonstrate, in accordance with the principle of accountability, that the breach is unlikely to result in a risk of prejudice to the rights or freedoms of natural persons. If a notification cannot be made within 72 hours, the notification shall be accompanied by an explanation of the reasons for the delay and the information may be provided progressively without any further undue delay'.

In turn, recital 86 of the preamble of Regulation 2016/679 explains: "The controller should, without undue delay, inform the data subject of a personal data breach where it is likely to result in a high risk of harm to the data subject's rights or freedoms, in order to allow the data subject to take the necessary preventive measures. Such information shall describe the nature of the personal data breach and shall contain recommendations for the individual concerned to minimise any potential adverse effects. The information should be provided to data subjects as soon as reasonably practicable, in close co-operation with the supervisory authority, respecting guidance provided by the supervisory authority or other relevant authorities such as law enforcement authorities. For example, the need to minimise the immediate risk of harm will require that data subjects be informed immediately, while the implementation of appropriate measures against the same or similar data protection breaches may justify later information."

By notifying the data subject without undue delay, the controller enables the person to take the necessary preventive measures to protect the rights or freedoms from the negative consequences of the breach. Article 34(1) and (2) of Regulation 2016/679 aims not only to ensure the most effective protection of the fundamental rights or freedoms of data subjects, but also to implement the principle of transparency, which follows from Article 5(1)(a) of Regulation 2016/679 (cf. Chomiczewski Witold [in:] RODO. General Data Protection Regulation. Commentary. ed. by E. Bielak - Jomaa, D. Lubasz, Warsaw 2018). The proper fulfilment of the obligation set out in Article 34 of Regulation 2016/679 is to provide data subjects - with prompt and transparent information about the breach of the protection of their personal data, together with a description of the possible consequences of the personal data breach and the measures they can take to minimise its possible negative effects. Acting in accordance with the law and showing due regard for the interests of data subjects, the controller should have ensured without undue delay that data subjects are afforded the best possible protection of their personal data. In order to achieve this objective, it is necessary at least to indicate the information listed in Article 34(2) of Regulation 2016/679, which the controller has failed to do. Thus, by deciding not to notify the breach to the supervisory authority as well as to the data subjects, the controller has in practice deprived the data subjects, provided without undue delay, of reliable information about the breach and the opportunity to prevent potential harm.

When applying the provisions of Regulation 2016/679, it should be borne in mind that the purpose of this Regulation (expressed in Article 1(2)) is to protect the fundamental rights and freedoms of natural persons, in particular their right to the protection of personal data, and that the protection of natural persons in relation to the processing of personal data is a fundamental right (first sentence of recital 1). In case of any doubt e.g. on the controllers' compliance with their obligations - not only when a personal data breach occurs, but also when developing technical and organisational security measures to prevent it - these values should be taken into account in the first place.

Consequently, it must be concluded that the Controller failed to notify the personal data breach to the supervisory authority in fulfilment of the obligation under Article 33(1) of Regulation 2016/679 and failed to notify the data subjects of the breach of the protection of their data without undue delay in accordance with Article 34(1) of Regulation 2016/679, which implies a breach by the Controller of these provisions.

Pursuant to Article 34(4) of Regulation 2016/679, if the controller has not yet notified the data subject of the personal data breach, the supervisory authority, taking into account the likelihood that this personal data breach will result in a high risk, may require the controller to do so, or may determine that one of the conditions referred to in paragraph 3 has been met. In turn, it follows from the wording of Article 58(2)(e) of Regulation 2016/679 that each supervisory authority has the remedial power to order the controller to notify the data subject of the data breach.

Furthermore, pursuant to Article 58(2)(i) of Regulation 2016/679, each supervisory authority has the power to apply, in addition to or instead of the other remedies provided for in Article 58(2) of Regulation 2016/679, an administrative pecuniary sanction under Article 83 of Regulation 2016/679, depending on the circumstances of the specific case. The President of the Office for Harmonization in the Internal Market states that in the case under consideration the premises justifying the imposition of an administrative pecuniary penalty on the Administrator based on Article 83(4)(a) of Regulation 2016/679, which provides, inter alia, that a breach of the obligations of the Administrator referred to in Articles 33 and 34 of Regulation 2016/679 is subject to an administrative pecuniary penalty of up to EUR 10,000,000, and in the case of an enterprise - up to 2% of its total annual worldwide turnover from the preceding financial year, the higher amount being applicable. On the other hand, it follows from Article 102(1) of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781) that the President of the Office for Personal Data Protection may impose, by way of a decision, administrative fines of up to PLN 100,000 on: units of the public finance sector referred to in Article 9(1)-(12) and (14) of the Act of 27 August 2009 on public finance, a research institute or the National Bank of Poland. It further follows from paragraph 3 of this article that the administrative fines referred to, inter alia, in paragraph 1 are imposed by the President of the Office on the basis and under the conditions specified in Article 83 of Regulation 2016/679.

Pursuant to the content of Article 83(2) of Regulation 2016/679, administrative monetary penalties shall be imposed, depending on the circumstances of each individual case, in addition to or instead of the measures referred to in Article 58(2)(a) to (h) and (j) of Regulation 2016/679. When deciding to impose an administrative pecuniary penalty on the Administrator, the President of the DPA - pursuant to the content of Article 83(2)(a) - (k) of Regulation 2016/679 - took into account the following circumstances of the case, constituting the necessity to apply this type of sanction in the present case and having an aggravating effect on the amount of the pecuniary penalty imposed:

(a) Nature and gravity of the infringement (Article 83(2)(a) of Regulation 2016/679);

The infringement found in the present case is of considerable gravity and seriousness, as it may lead to pecuniary or non-pecuniary damage for the data subjects affected by the infringement and the likelihood of such damage is high.

(b) Duration of the breach (Article 83(2)(a) of Regulation 2016/679);

The President of the DPAO considers the long duration of the breach to be an aggravating circumstance. Several months have elapsed between the time the Administrator became aware of the personal data breach and the date of issuing this decision, during which the risk of infringement of the rights or freedoms of the persons affected by the breach may have been realised and which they could not counteract due to the Administrator's failure to comply with its obligation to notify them of the breach.

(c) The number of affected data subjects (Article 83(2)(a) of Regulation 2016/679);

In the present case, it was established that the breach affected the personal data of a number of individuals - all those 6th year students from six student groups of 26 students each (according to the information provided to the President of the DPA) taking the practical examinations in paediatrics, belonging to all the sections examined from the beginning of the examinations (held on the dates: [...].05.2020, [...].05.2020 and [...].05.2020), who, when taking the examinations in question, showed their student card or identity card.

(d) Intentional nature of the breach (Article 83(2)(b) of Regulation 2016/679);

The Controller made a conscious decision not to notify the President of the DPAO about the breach, as well as the data subjects, despite having been informed about the event by the data subjects and letters from the President of the DPAO addressed to the Controller indicating the possibility of a high risk of infringement of the rights or freedoms of the data subjects in the present case. The aforementioned obligations of the Administrator pursuant to Article 33(1) and (3) and Article 34(1) and (2) were not fulfilled. Such failure to act, despite the obligation to act "without undue delay", made it impossible for individuals to take action as soon as possible in order to protect themselves from any negative consequences of the breach, which in turn does not affect their effectiveness if the Administrator fulfils this obligation.

(e) The degree of cooperation with the supervisory authority to remedy the breach and mitigate its possible negative effects (Article 83(2)(f) of Regulation 2016/679);

In the present case, the President of the Office for Harmonisation in the Internal Market found the Administrator's cooperation with him to be unsatisfactory. The assessment concerns the Administrator's reaction to the letters of the President of the Office for Harmonisation in the Internal Market (OPAI) pointing to the possible existence in this case of a high risk of infringement of the rights or freedoms of the persons affected by the infringement. Actions correct in the assessment of the President of the Office for Harmonisation in the Internal Market (notification of the infringement to the President of the Office for Harmonisation in the Internal Market and notification of the persons concerned by the infringement) were not taken by the Administrator even after the President of the Office for Harmonisation in the Internal Market had initiated administrative proceedings in the case.

(f) Categories of personal data affected by the breach (Article 83(2)(g) of Regulation 2016/679);

Personal data made available to unauthorised persons do not belong to the special categories of personal data referred to in Article 9 of Regulation 2016/679, however, their wide scope, involves a high risk of infringement of rights or freedoms of natural persons. Data found in ID cards, apart from: photograph, first names, surname, date of birth and gender, are additionally:

- for ID cards issued before 1 March 2015: family name, parents' names, signature, ID card number and expiry date,

- for ID cards issued from 1 March 2015 to 3 March 2019: family name, first names of parents,

- for ID cards issued after 4 March 2019: nationality, ID card number and expiry date.

On student ID cards, in accordance with:

- the aforementioned Regulation of the Minister of Science and Higher Education of 14 September 2011 on the documentation of the course of studies,

- the aforementioned Regulation of the Minister of Science and Higher Education of 16 September 2016 on the documentation of the course of studies,

which specify the template of the electronic student card, show a colour photograph of the card holder, the name of the university, first name, surname, address, date of issue, album number, PESEL number (and in the case of foreigners, respectively: date of birth). However, according to the currently applicable aforementioned regulation of the Minister of Science and Higher Education of 27 September 2018 on studies, such an ID card contains all the data indicated above for an ID card except for the student's address.

In addition, as a result of the breach in question, unauthorised persons were able to see other information about students: about the group, the year of study, the course, the subject and the answers given during the examination.

(g) How the supervisory authority became aware of the breach (Article 83(2)(h) of Regulation 2016/679);

The President of the Office for Harmonization in the Internal Market (OCCP) was not informed about the breach of personal data protection constituting the subject matter of the present case, i.e. about the disclosure to unauthorized persons of personal data processed by the Administrator, in accordance with the procedure provided for such situations in Article 33 of Regulation 2016/679 - the information was received from several other sources. The fact that no information on the data protection breach was provided by the controller obliged to provide such information to the President of the Office for Harmonisation in the Internal Market should be considered as an encumbrance for the controller.

When determining the amount of the administrative fine, the President of the Office for Harmonisation in the Internal Market also took into account the actions taken by the controller to minimise the damage suffered by data subjects (Article 83(2)(c) of Regulation 2016/679). The controller provided data subjects with certain information regarding the breach and enabled them to communicate through the communication channels provided for this purpose. He also pointed out to persons who may have unauthorised access to the disclosed recordings the possible disciplinary and criminal consequences of their unlawful use. Such action by the Administrator deserves to be noticed and accepted, however, it is by no means equivalent to compliance with the obligation referred to in Article 34 of Regulation 2016/679.

No other circumstances indicated in Article 83(2) of Regulation 2016/679 had any impact on the fact that the President of the Office for Harmonisation in the Internal Market (OCCP) applied a sanction in the form of an administrative fine in the present case, as well as on its amount:

(a) the degree of responsibility of the controller taking into account the technical and organisational measures implemented by the controller pursuant to Articles 25 and 32 (Article 83(2)(d) of Regulation 2016/679) - the breach assessed in the present proceedings (failure to notify the President of the DPA of a personal data protection breach and failure to notify data subjects of a personal data protection breach) is not related to the technical and organisational measures applied by the controller;

(b) relevant previous breaches of Regulation 2016/679 committed by the Controller (Article 83(2)(e) of Regulation 2016/679) - no previous breaches committed by the Controller have been identified;

(c) compliance with the measures referred to in Article 58(2) of Regulation 2016/679 previously applied in the same case (Article 83(2)(i) of Regulation 2016/679) - in the case the President of the DPA has not previously applied the measures referred to in the provision indicated;

(d) application of approved codes of conduct under Article 40 of Regulation 2016/679 or approved certification mechanisms under Article 42 of Regulation 2016/679 (Article 83(2)(j) of Regulation 2016/679) - the controller does not apply approved codes of conduct or approved certification mechanisms;

(e) financial benefits achieved or losses avoided directly or indirectly as a result of the breach (Article 83(2)(k) of Regulation 2016/679) - the controller was not found to have achieved any financial benefits or avoided financial losses as a result of the breach.

In the opinion of the President of the Office for Harmonisation in the Internal Market, the administrative fine applied fulfils, in the established circumstances of the case, the functions referred to in Article 83(1) of Regulation 2016/679, i.e. it is effective, proportionate and dissuasive in this individual case.

It should be emphasised that the penalty will be effective if its imposition leads to the Administrator's future compliance with its obligations in the area of personal data protection, in particular with respect to reporting the personal data protection breach to the President of the DPA and notifying the persons affected by the breach of personal data protection. The application of the administrative fine in this case is necessary also taking into account that the controller ignored the fact that the data protection infringement occurs both when it is caused by a conscious action and when it is caused by an unintentional act.

In the opinion of the President of the Office for Personal Data Protection, the administrative fine will fulfil a repressive function, as it will constitute a response to the controller's breach of the provisions of Regulation 2016/679. It will also fulfil a preventive function; in the opinion of the President of the Office for Personal Data Protection, it will point out to the controller in question and to other controllers the reprehensibility of disregarding the controllers' duties related to the occurrence of a personal data protection breach, which are aimed at preventing and eliminating its negative and often painful consequences for the persons affected by the breach, or at least limiting the consequences.

In view of the above, it should be noted that the fine in the amount of PLN 25,000 (in words: twenty-five thousand PLN) fulfils, in the established circumstances of the case, the prerequisites referred to in Article 83(1) of Regulation 2016/679 due to the seriousness of the identified breach in the context of the fundamental objective of Regulation 2016/679 - the protection of fundamental rights and freedoms of natural persons, in particular the right to the protection of personal data. At the same time, the amount of the administrative fine imposed by this decision on the controller being a unit of the public finance sector (public university - indicated in Article 9(11) of the Act of 27 August 2009 on Public Finance) is within the limit of PLN 100,000 specified in Article 102(1) of the Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781).

In this factual and legal state, the President of the Office for Personal Data Protection decided as in the operative part.

The decision is final. The party has the right to lodge a complaint against the decision to the Voivodship Administrative Court in Warsaw within 30 days from the date of its delivery via the President of the Office for Personal Data Protection (address: ul. Stawki 2, 00-193 Warsaw). The complaint should be subject to a proportional entry, pursuant to art. 231 in connection with art. 233 of the Act of 30 August 2002. Law on proceedings before administrative courts (Journal of Laws of 2019, item 2325 as amended). A party (natural person, legal person, other organisational unit without legal personality) has the right to apply for the right to assistance, which includes exemption from court costs and appointment of an advocate, legal adviser, tax adviser or patent agent. The right of assistance may be granted upon request of a Party filed before the initiation of proceedings or in the course of proceedings. The application is free of court fees.

Pursuant to Article 105(1) of the Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781), an administrative fine shall be paid within 14 days from the expiry of the time limit for lodging a complaint with the Voivodship Administrative Court, or from the date on which the decision of the administrative court becomes final, to the bank account of the Office for the Protection of Personal Data in the NBP O/O Warsaw No. 28 1010 1010 0028 8622 3100 0000. Moreover, pursuant to Article 105 paragraph 2 of the aforementioned Act, the President of the Office for Personal Data Protection may, upon a justified motion of the punished entity, postpone the date of payment of the administrative fine or spread it into instalments. In the case of postponing the date of payment of an administrative fine or spreading it into installments, the President of the Office for Personal Data Protection calculates interest on the unpaid amount on an annual basis, using a reduced rate of interest for default, announced on the basis of Article 56d of the Act of 29 August 1997. - Tax Ordinance (Journal of Laws of 2020, item 1325, as amended), from the day following the date on which the application was filed.

Pursuant to Article 74 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), the filing of a complaint by a party to the administrative court suspends the enforcement of the decision with regard to the administrative fine.