photo
30.09.2024

The controller shall not delegate to an employee the determination of how to safeguard data

The Supreme Administrative Court dismissed the cassation appeal of the President of the District Court in Zgierz against the judgment of the Voivodeship Administrative Court in Warsaw. In doing so, it upheld the decision of the President of Personal Data Protection Office to impose a fine for lack of adequate safeguards.

The whole affair began when, in February 2020, a court probation officer in Zgierz lost an unencrypted memory stick containing the personal data of 400 people. There were names, dates of birth, addresses of residence or stay, PESEL (personal identification numbers), data on earnings and/or assets, ID card numbers, telephone numbers, health data and convictions.

The President of the District Court - the data controller - notified this personal data breach to the President of the Personal Data Protection Office and informed the persons whose data was on the lost media about it. The President of the Personal Data Protection Office, after analysis, found that the controller had not fulfilled this duty properly: it had not adequately informed about the possible consequences of the personal data breach and what the controller had done to minimise the consequences hereof.

However, it was crucial to establish what had been going on in court prior to the incident

The President of the Personal Data Protection Office found that the controller had improperly implemented technical and organisational safeguards. According to the procedures in place at the Court in Zgierz, the obligation to secure the official media containing personal data rested with the users (employees) themselves. On the other hand, the obligation to record and encrypt the media was only introduced after the court probation officer lost his memory stick.

Previously, employees were simply trained in data protection. Meanwhile, as the President of the Personal Data Protection Office pointed out, a one-off training is not enough. It does not guarantee that the employee will not transfer data on an unprotected medium. In the case in question, the employee protected the data by carrying a memory stick in a lockable bag.

The controller

  • did not carry out a proper risk assessment, so it could not properly seek to mitigate the risks;
  • limited itself to organisational security measures (procedures, training) without verifying their effectiveness;
  • did not implement technical security measures such as encryption or media checks.

All this was inadequate in the face of the risk of loss or destruction of this data. Both in terms of the likelihood of such an event and its consequences.

Courts remind what a risk-based approach is

The President of the Personal Data Protection Office found a breach of the provisions of the GDPR (Articles 5(1)(f), 25(1), 32(1)(b) and (d)) and imposed a fine of PLN 10,000 on the entity.

However, the President of the District Court in Zgierz appealed this decision to the Voivodeship Administrative Court. As the Voivodeship Administrative Court supported the authority's position, the controller filed a cassation appeal with the Supreme Administrative Court.

The complaints were dismissed by the courts of both instances.

The Voivodeship Administrative Court in its judgment recalled that data controllers, when processing personal data, must bring their data processing operations into compliance with the GDPR. To this end, they should implement organisational and technical security measures. Meanwhile, in the case at hand, the controller was limited to issuing unsecured storage media and obliging the court probation officer to implement security measures for this storage on their own. This was not enough, because if the storage media were lost, unauthorised persons could gain access to the data.

The Supreme Administrative Court, in turn, stressed that equipping court probation officers with encrypted storage media would mitigate the risk of breaching the confidentiality of personal data. Even in case they were lost. Such a solution was available because it is not costly and the court had the knowledge to do so.

On top of that, even this risk assessment that the president of the court, as data controller, has carried out shows that the risk of losing media has been identified. Meanwhile, the controller has not implemented security measures adequate to this risk.

The issue in the case was not the fine for the controller's failure to prevent the loss of media, but the protection of personal data in the event of loss of media.

Supreme Administrative Court, ref. no. III OSK 2654/22 concerning the cassation appeal of the President of the District Court in Zgierz against the judgment  of the Voivodeship Administrative Court in Warsaw of 15 February 2022, ref. no. II SA/Wa 3309//21.