Polish SA: Personal data carrier must be secured

13 July 2021

The President of the District Court did not secure the company data carrier, but only instructed his employees to do it themselves. Instead, it is the controller, and not the user of the carrier, who is responsible for implementing appropriate technical and organisational measures to ensure adequate data security. For lack of such measures the supervisory authority imposed on the President of the Court an administrative fine of PLN 10 000.

The decision to impose the fine is connected with the notification by the President of the District Court in Zgierz of a violation of personal data protection consisting in the loss of an unencrypted portable memory drive by a probation officer. The personal data of 400 individuals subject to probation supervision and covered by community interviews were stored on the carrier. Due to the scope of the personal data disclosed, the indicated breach caused a high risk of infringement of rights or freedoms of natural persons, therefore the controller communicated the personal data breach on the website of the District Court in Zgierz.

The lost and, at the same time, unsecured memory carrier has not been found so far, so the personal data on it may still be accessed by an unauthorised person or persons.

In the course of the proceedings before the Personal Data Protection Office (UODO), the controller in his explanations indicated that he had implemented a personal data protection system in the form of personal data processing rules. The documentation is updated on an ongoing basis and audited by a data protection officer (DPO) appointed for this purpose. Moreover, the controller assured that it undertook actions in the form of on-site and e-learning trainings for the Court's employees (including probation officers) regarding personal data protection and the implemented documentation rules, stand-by duty performed by the DPO at the controller's premises, on-line stand-by duty and ad hoc inspections conducted by the DPO during stand-by duty.

However, based on the controller’s documents, the obligation to secure the data carriers rests with the users. In the opinion of the UODO, such an approach is inappropriate. The investigation showed that the controller breached, among others, the principle of confidentiality and integrity of personal data by issuing unsecured portable memory carriers to probation officers for their official use and obliging them to implement the security measures for such carrier on their own. The consequence of the failure to implement appropriate organisational and technical measures, in the event that such a carrier is lost by a probation officer, is that unauthorised persons can access the personal data contained therein.

It is worth mentioning that the training of employees in the scope of personal data protection is necessary and needed, however, it cannot be considered as appropriate organisational measures in this particular case and it should not replace measures of technical nature, which were not provided for by the controller. Furthermore, in this case, the controller left the effective securing of the carrier to its user, without indicating any exemplary and adequate safeguards that the employee may apply. It should be borne in mind that employees, as was the case here, may not have knowledge of how to secure personal data carriers. Therefore, the actions applied by the President of the Court cannot be considered as the implementation of appropriate technical or organisational measures.

It should be pointed out that it is the controller, and not the employee or the person performing official tasks, who is obliged to implement appropriate technical and organisational measures so that the processing is carried out in accordance with the requirements of the GDPR.

When setting the amount of the administrative fine, the UODO took into account as a mitigating circumstance the good cooperation of the President of the Court with the supervisory authority undertaken and carried out in order to remedy the infringement and mitigate its possible negative effects.

The full text of the decision is available in Polish here.

For further information, please contact the Polish DPA: kancelaria@uodo.gov.pl


The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.