Banner1.png
Banner3.png

WSA Warsaw (Poland) - II SA/Wa 2129/20

From GDPRhub
WSA Warsaw - II SA/Wa 2129/20
Courts logo1.png
Court: WSA Warsaw (Poland)
Jurisdiction: Poland
Relevant Law: Article 4(7) GDPR
Decided: 13.05.2021
Published: 04.08.2021
Parties: Prezes Urzędu Ochrony Danych Osobowych
Szkoła Główna Gospodarstwa Wiejskiego
National Case Number/Name: II SA/Wa 2129/20
European Case Law Identifier:
Appeal from: UODO (Poland)
ZSOŚS.421.25.2019
Appeal to:
Original Language(s): Polish
Original Source: UODO (in Polish)
Initial Contributor: n/a

The Provincial Administrative Court in Warsaw upheld a fine by the Polish DPA of approximately €11,000 (PLN 50,000) on an university that had failed to implement appropriate measures to prevent the disclosure of personal data on an employee laptop. Contrary to the university's arguments, the Court held that the University could be classified as a controller, as it determined the purposes and means of the processing of data on the laptop, and the employee was acting on its behalf.

English Summary[edit | edit source]

Facts[edit | edit source]

On 20 August 2020, the Polish DPA imposed a fine of approximately €11,000 on the Warsaw University of Life Sciences (SGGW) for failing to implement sufficient technical and organizational measures to prevent exposure of over 80000 records about study candidates.

The data breach occurred as a result of a theft of a university employee's private laptop, on which the personal data of candidates for studies had been saved. The university argued that it had not been a controller of the data stored on the stolen device. Instead, it was the employee acting without knowledge of SGGW and in violation of internal procedures.

Holding[edit | edit source]

The court fully upheld the DPA's decision and stated that the SGGW had violated the GDPR.

The court disagreed with the argument that the SGGW had not been a data controller in the case. The university determined the purposes and means of the processing of personal data. Its employee was always acting on behalf of the university.

Subsequently, the court agreed with the DPA that the university violated several provisions of the GDPR, including the principle of integrity and confidentiality and that the fine was correctly imposed.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.

WULS-SGGW did not implement sufficient technical and organizational measures to ensure the security of personal data of applicants for studies - confirmed the Provincial Administrative Court in Warsaw in a judgment of May 13, 2021. The Provincial Administrative Court upheld the decision of the President of the Personal Data Protection Office imposing 50,000 PLN fine for the university.

The case dealt with by the Provincial Administrative Court concerns the decision of the President of the Personal Data Protection Office related to the breach of personal data protection of candidates for studies at SGGW from November 2019. At that time, a private laptop of a university employee was stolen, on which the personal data of candidates for studies had been saved. The subsequent inspection and administrative proceedings of the Personal Data Protection Office revealed irregularities on the part of the data controller, which resulted in the imposition of a fine.

Before the court, the university tried to prove that it was not, in fact, the administrator of the data contained in the stolen private computer of its employee. In her opinion, it was the employee who was the administrator of this data because, without the knowledge of the administrator, and in violation of internal procedures, he processed student recruitment data from the period of five years on private equipment. In its internal regulations, the university specified that the data of candidates for studies are to be processed for a maximum period of three months.

The Provincial Administrative Court disagreed with the university and pointed out that the Personal Data Protection Office (UODO) rightly recognized WULS-SGGW as the data controller. The court noted that, in accordance with the definition of the administrator contained in the GDPR, the university played this role because it decided on the purposes and methods of processing personal data of candidates for studies. An employee whose laptop with data was stolen was not an entity that independently decided about the purposes and methods of their processing. He performed the processing activities because he was an employee of this university, involved in the recruitment process for studies.

The court pointed out that the university employee does not act as a separate legal entity. His actions are therefore the actions of the employer, which is responsible for them, maintaining the possibility of enforcement, order and disciplinary liability towards the employed person. The assessment of this situation was not changed by the fact that the employee's actions went beyond the duties entrusted to him.

The WSA agreed with the Personal Data Protection Office that the university violated a number of GDPR rules, including the principle of integrity and confidentiality, according to which personal data must be processed in a way that ensures their appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, by appropriate technical or organizational measures. The court found that the controller did not carry out a risk analysis and did not assess the threats he was dealing with. Therefore, he has not implemented appropriate technical and organizational measures to effectively secure the processed data. Meanwhile, a threat to the data processed by WULS-SGGW,it was possible to export data from the Candidate Service System to an external medium without registering the process in the IT system.

The court agreed with the supervisory authority that the university did not sufficiently control the data processing process in which its employee participated and did not verify the correctness of its activities.

The Provincial Administrative Court also confirmed that the Personal Data Protection Office (UODO) correctly imposed a fine on the university, taking into account all the circumstances contained in Art. 83 sec. 2 GDPR.