Background information
- Date of final decision: 12 November 2024
- National case
- Legal Reference (s): Article 24 (Responsibility of the controller), Article 25 (Data protection by design and by default), Article 32 (Security of processing), Article 5 (Principles relating to processing of personal data)
- Decision: Administrative fine, Compliance order
- Key words: Administrative fine,Data subject rights, Personal data breach, Principles relating to processing of personal data, Data security, Responsibility of the controller
Summary of the Decision
Origin of the case
A data protection breach resulting in a fine from the President of the Polish Supervisory Authority (SA) occurred when a ZHP, scout association instructor left a backpack with a laptop belonging to Chorągiew in the subway. The laptop included personal data such as: surnames and names, parents' names, date of birth, bank account number, address of residence or stay, PESEL (personal identification number), e-mail address, data on salary and/or assets owned, ID card series and number, telephone number, health data and other data (association membership, service assignment).
Key Findings
Chorągiew notified the police and the President of the Personal Data Protection Office of the incident, who, after analysing the breach, initiated administrative proceeding. The police did not deal with the case because there was no theft, but the backpack was lost.
Chorągiew conducted a risk analysis for the processing of personal data. However, it did not include the risk of inadequately transporting laptops and other IT equipment . Such a risk was only included in the analysis after the loss of the laptop. At that time, it also became apparent that measures ‘regarding the encryption of drives on company computers taken outside the controller's buildings (...)’ needed to be reviewed.
Thus, as noted by the President of the Polish SA, the risk analysis and the measures implemented on its basis were insufficient. The Polish SA pointed out that the role of the controller is not limited to the one-off development and implementation of organisational and technical measures to ensure the processing of personal data in compliance with the principles expressed in the GDPR. Losing a laptop is losing a laptop represents an opportunity to review security measures. In such a situation, however it is crucial whether the controller has regularly tested, measured and evaluated the effectiveness of the technical and organisational measures to ensure the security of the processing of personal data.
Decision
The President of the Personal Data Protection Office has imposed a fine of 5 625 € on Stołeczna Chorągiew ZHP for infringement of Articles 5, 24, 25 and 32 of the GDPR.
Chorągiew was ordered to implement appropriate data protection measures within three months from the date of the decision.
For further information: national decision (Polish)
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.