The initiation of proceedings against the Warsaw University of Life Sciences
Following an inspection performed at the Warsaw University of Life Sciences (SGGW) in connection with the data protection breach, the President of the Personal Data Protection Office (UODO) initiated administrative proceedings.
A stolen laptop, containing the data of candidates for studies at the Warsaw University of Life Sciences, belonged to a staff member of the university. He used it for both private and professional purposes, personal data were processed on the laptop in connection with the recruitment of candidates for studies. However, it is not all the findings made in connection with the inspection carried out by the President of the UODO after the breach at the SGGW.
The inspection showed clear dysfunctions in the data protection system at the university, from both a technical and an organisational point of view. A breach of the personal data protection relating to the obligations imposed on the controller, inter alia, by Article 24(1) of the GDPR has been found, in the context of the failure to update and review the security policies adopted at university. In the course of the inspection it was established that the controller did not duly review the processing of personal data of candidates for studies. Therefore, it did not have sufficient knowledge of the risks involved in that processing and did not take appropriate action under, inter alia, Article 25(1) or 32(1)(b) and (d) of the GDPR. The inspection activities have also shown irregularities in the way of fulfilling the function of the data protection officer who, inter alia, did not execute its tasks in accordance with Article 39(2) of the GDPR, i.e. having due regard to the risk associated with processing operations.
The purpose of the administrative proceedings is to restore a lawful state at the controller’s. In case where the personal data protection provisions are infringed, the President of the UODO shall react adequately to the severity of the specific breach, making use of the numerous powers granted to him under the GDPR. Therefore, the President of the UODO can benefit from the measures under the GDPR. These may be, for example, reprimands, warnings, orders to bring processing operations into compliance with personal data protection provisions. The President of the UODO may also impose an administrative fine depending on the assessment of the circumstances of the case. It is worth recalling that imposing an administrative fine or issuing a warning does not affect the possibility for the President of the UODO to make use of other powers or to impose sanctions.