Background information
- Date of decision: 19/01/2023
- Cross-border case or national case: National case
- Legal references: Article 83 (1-3) and (4) (a) and (5) (a) GDPR (General conditions for imposing administrative fines), Article 24 (1) GDPR (Responsibility of the controller), Article 25 (1) (2) (Data protection by design and by default), Article 32 (1) (2) GDPR (Security of processing), Article 5 (1) (e) (f) and (2) GDPR (Principles relating to processing of personal data), Article 57 (1) (a) and (h) GDPR, Article 58 (2) (i) GDPR , Article 33 (Notification of a personal data breach to the supervisory authority)
- Decision: Administrative fine
- Key words: Data security, Administrative fine, Personal data breach, data storage
Summary of the Decision
Origin of the case
The Polish SA received a notification of a personal data breach filed by the Szczecin-Centre District Court in Szczecin on 20 September 2020. The breach occurred as a result of the loss of three pendrive-type data storage devices: one official - encrypted and two private - unencrypted. The lost data storage devices contained draft judgments and justifications containing personal data (from December 2004 to August 2020).
Key Findings
The investigation established the long-standing use of private data storage devices on Court’s computer equipment, unsecured and unverified by the IT department of the Szczecin Court. In addition, it was found that the controller, despite having procedures in place to ban the use of private data storage devices, did not supervise whether Court staff complied with internal regulations. In the course of the proceedings, the authority found that the controller did not implement adequate technical measures, e.g. blocking USB ports to prevent the use of private data storage devices. It should be emphasised that a controller allowing the use of portable data storage devices should ensure that these are business storage devices verified by the IT department and protected against unauthorised access if lost or left unattended. In the authority's view, the controller was aware of the risk of using private, unsecured and unverified data storage devices before the infringement occurred, as evidenced by the conclusions of the audits conducted at the court.
Decision
The Polish SA imposed an administrative fine of about 6,700 EUR (PLN 30,000) on the Szczecin-Centrum District Court in Szczecin. The decision found an infringement of the provisions of the GDPR consisting in the controller's failure to implement appropriate technical and organisational measures to ensure a level of security corresponding to the risk of data processing using portable data storage devices.
For further information:
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.