Technical and organisational measures should be complementary
The Personal Data Protection Office has imposed an administrative fine of PLN 30,000.00 on the Szczecin-Centrum District Court in Szczecin. The decision found an infringement of the provisions of the GDPR consisting in the controller's failure to implement appropriate technical and organisational measures to ensure a level of security corresponding to the risk of data processing using portable memory sticks.
The Personal Data Protection Office received a notification of a personal data breach filed by the Szczecin-Centre District Court in Szczecin on 20 September 2020. The breach occurred as a result of the loss of three pendrive-type data carriers: one official - encrypted and two private - unencrypted. The lost media contained draft judgments and justifications containing personal data (from December 2004 to August 2020).
The investigation established the long-standing use of private data carriers on Court’s computer equipment, unsecured and unverified by the IT department of the Szczecin Court.
In addition, it was found that the controller, despite having procedures in place to ban the use of private data carriers, did not supervise whether Court staff complied with internal regulations.
In the course of the proceedings, the authority found that the controller did not implement adequate technical measures, e.g. blocking USB ports to prevent the use of private data carriers. It should be emphasised that a controller allowing the use of portable data carriers should ensure that these are business carriers verified by the IT department and protected against unauthorised access if lost or left unattended.
Integrity and confidentiality
It should be noted that personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ("integrity and confidentiality").
It is the controller who implements appropriate technical and organisational measures so that, by default, only those personal data are processed which are necessary for each specific purpose of the processing. This obligation relates to the amount of personal data collected, the scope of their processing, the duration of their storage and their availability.
The Court's failure to apply security measures adequate to the risks resulted in the controller breaching the provisions of the GDPR.
Implementation and verification
The implementation of technical and organisational measures by the controller is not a one-time action, but should take the form of an ongoing process whereby the controller reviews and, if necessary, updates the safeguards previously adopted. A regular evaluation of the security measures implemented would allow the controller to verify that the procedure put in place specifying the ban of the use of private storage media is followed and therefore effective.
In the authority's view, if the controller had reviewed the implementation of the organisational measure of banning the use of private data carriers, it would then have significantly reduced the risk of infringement or even led to its complete elimination.
In the authority's view, the controller was aware of the risk of using private, unsecured and unverified data carriers before the infringement occurred, as evidenced by the conclusions of the audits conducted at the court, the risk analysis carried out and the resulting conclusions on how to minimise the risks identified, as well as the organisational measures taken in the form of a ban on the use of private data carriers specified in the organisational regulations or an order to use encrypted carriers.
The authority therefore considered it was enough to legitimate the imposition of an administrative fine.