The Voivodeship Administrative Court has supported the decision of UODO
The Warsaw University of Life Sciences has not implemented sufficient technical and organizational measures to ensure the security of personal data of applicants for studies - confirmed the Voivodeship Administrative Court in Warsaw in its judgment of May 13, 2021. The Voivodeship Administrative Court upheld the decision of the President of the Personal Data Protection Office imposing 50 000 PLN fine on the university.
The case dealt with by the Voivodeship Administrative Court concerns the decision of the President of the Personal Data Protection Office related to the breach of personal data of candidates for studies at the Warsaw University of Life Sciences in November 2019. At that time, a private laptop of a university employee, on which the personal data of candidates for studies had been saved, was stolen. The subsequent inspection and administrative proceedings of the Personal Data Protection Office revealed irregularities on the part of the data controller, which resulted in the imposition of a fine.
In the court, the university tried to prove that it was not in fact the controller of the data collected in the stolen private computer of its employee. In the opinion of the Warsaw University of Life Sciences, the employee was the controller of those data because, without the knowledge of the controller, and in violation of internal procedures, he processed student recruitment data from the period of five years on private equipment. The university specified in its internal regulations that the data of candidates for studies are to be processed for a maximum period of three months.
The Voivodeship Administrative Court disagreed with the university and pointed out that the Personal Data Protection Office rightly recognized the Warsaw University of Life Sciences as the data controller. The court noted that, in accordance with the definition of the controller contained in the GDPR, the university fulfilled this role, because it decided on the purposes and means of processing personal data of candidates for studies. An employee whose laptop with data was stolen was not an entity that independently decided on the purposes and means of their processing. He performed the processing activities because he was an employee of this university, involved in the recruitment process for studies.
The court pointed out that the university employee does not act as a separate legal entity. His actions are therefore the actions of the employer, which is responsible for them, maintaining the possibility of enforcement, order and disciplinary liability towards the employed person. The assessment of this situation was not changed by the fact that the employee's actions went beyond the duties entrusted to him.
The Voivodeship Administrative Court agreed with the Personal Data Protection Office that the university violated a number of GDPR principles, including the principle of integrity and confidentiality, according to which personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. The court found that the controller did not carry out a risk analysis and did not assess the threats faced by it. Therefore, the university has not implemented appropriate technical and organizational measures to effectively secure the processed data. Meanwhile, the risk for the data processed by the Warsaw University of Life Sciences was the possibility of exporting data from the Candidate Service System to an external data carrier without registering the process in the IT system.
The court agreed with the supervisory authority that the university did not sufficiently control the data processing in which its employee participated and did not verify the correctness of his activities.
The Voivodeship Administrative Court also confirmed that the Personal Data Protection Office correctly imposed a fine on the university, taking into account all the circumstances contained in Art. 83(2) of the GDPR.