Voivodeship Administrative Court fully dismissed KSSIP's complaint against the Polish DPA's decision
The National School of Judiciary and Public Prosecution (KSSIP) did not apply adequate technical and organisational measures to ensure the security of data processing, the Voivodeship Administrative Court in Warsaw (WSA) confirmed.
In its judgment of 26 January 2022*, the WSA agreed with the entire argumentation presented by the Polish Data Protection Authority in the decision imposing an administrative fine of PLN 100,000 on KSSIP in connection with the personal data breach.
In this case personal data related to the domain kssip.gov.pl were disclosed. As a result of unauthorised access to a file with a copy of the database, unknown persons disclosed the data on the Internet. The copy of the database was created in connection with a test migration to a new training platform. During the proceedings before the supervisory authority, as well as before the court, KSSIP tried to prove that the responsibility for the indicated incident lies with the processor whose employee made a copy of the database at the request of the controller and left it on the server.
However, the WSA stressed that the Polish DPA was right to assume that if the controller decided that the copy of the database should be deleted, it was its obligation to verify whether this action had been performed. The court pointed out that even if the processor’s employee did not remove the copy, the controller was still obliged to verify whether the indicated location ensures the security of personal data processing. The court pointed out that it is the controller who initiates the actions, as the entity which decides on the purposes and means of the processing. The court also underlined that the service agreement between the controller and the processor implies the controller's responsibility for security, which, if necessary, uses the assistance of the processor.
The allegations of the Polish DPA regarding the lack of comprehensive provisions in the data processing entrustment agreement were also shared by the court. Thus, the supervisory authority correctly indicated that the content of the processing agreement insufficiently specified the scope of entrusted data. The agreement did not include categories of persons and did not specify the type of personal data by indicating their categories. Moreover, the KSSIP did not include in the agreement the obligation of the processor to process personal data only upon the documented instructions from the controller.
The WSA did not agree with the complainant's allegation that the proceedings before the Polish DPA should be suspended until the conclusion of the criminal proceedings initiated in connection with the infringement. The court emphasised that the Authority does not duplicate the powers of the public prosecutor's office and the criminal court, but assesses the action of the controller by analysing the facts and interpreting the provisions on personal data protection.
*File number. II SA/Wa 1384/21