Fine for personal data breach imposed on SGGW
The President of the Personal Data Protection Office, after having found a personal data breach by the Warsaw University of Life Sciences (SGGW), imposed a fine on this entity in the amount of PLN 50 000.
Let us remind you that in November 2019 the President of the UODO received a notification of breach of personal data of candidates for studies at SGGW. The notification was related to the theft of a portable private computer of the university employee, who used this device also for business purposes, including the processing of personal data of candidates for studies at SGGW for the purposes of recruitment activities. After an inspection carried out at the university in connection with a data breach, the President of the UODO instituted ex officio administrative proceedings.
On the basis of the evidence collected during the proceedings, the President of the UODO imposed an administrative fine on the university. In deciding on the amount of the fine, the supervisory authority took into account that the personal data breach concerned candidates for studies at SGGW for the last five years, covered a wide range of data and that the number of persons affected could be up to 100 (upper limit). It was also important for establishing the amount of the fine that the controller had no knowledge of the processing of personal data on the employee’s private computer, nor did it control the processing of data by failing to verify on which media the personal data of candidates for studies collected from the IT system were processed and by failing to record this operation in the IT system. The above circumstances indicate a breach of the principle of confidentiality and accountability specified in the GDPR.
It is worth noting that the personal data of candidates for studies from five years of recruitment were processed, which was non-compliant with the prescribed period of storage of personal data of candidates for studies, which was specified in SGGW as three months after completion of the recruitment process. This constitutes a breach of the principle of storage limitation provided for in the GDPR.
Moreover, in the course of the conducted proceedings it was established that the university had not implemented appropriate organisational and technical measures to ensure the security of the processing of personal data of candidates for studies.
It is the controller’s obligation to implement appropriate technical and organisational measures to ensure the security of the data processed. They should be reviewed and updated on an ongoing basis to existing legislation and changing technology. It should be noted here that the establishment of appropriate technical and organisational measures is a two-step process. First of all, it is important to identify the level of risk associated with the processing of personal data. Then it is necessary to establish which technical and organisational measures will be appropriate to ensure a level of security appropriate to this risk. Those arrangements should include measures such as the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, and a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
In the opinion of the supervisory authority, the measures taken by the university including the processing of data of candidates for studies were insufficient.
At the same time, the President of the UODO stated that in the case concerned the Data Protection Officer (DPO) performed its tasks without having due regard to the risk associated with processing operations. The appointed Data Protection Officer was not involved by the university in the recruitment process for studies covering the functioning of the IT system intended for this activity. The involvement of a DPO could reduce the risk of inappropriate processing.
When imposing a fine, the President of the UODO took into account attenuating circumstances, such as: good cooperation with the supervisory authority both in the course of the inspection and during the administrative proceedings, taking action by the university to remedy the infringement and ensure security in the processing of data in the future.
The full text of the decision is available (in Polish) at: https://www.uodo.gov.pl/decyzje/ZSO%C5%9AS.421.25.2019