The Supreme Administrative Court confirmed the fine imposed on the Warsaw University of Life Science

The case concerned a breach by the university of its obligations under personal data protection rules resulting in an incident: the personal data of the candidates for the studies were exported to the employee’s private computer and the confidentiality of those data was breached as a result of the theft of that device.

The situation occurred in 2019 and after examining the case, the President of the Personal Data Protection Office imposed a fine of PLN 50 thousand on the university – the data controller – for non-compliance with the rules. The Warsaw University of Life Sciences first challenged that decision before the Voivodeship Administrative Court and then brought an action before the Supreme Administrative Court. On 7 February 2025, the Supreme Administrative Court rejected the university’s complaint.

The Supreme Administrative Court disagreed with the Warsaw University of Life Sciences position that the university was not responsible for the employee’s actions which exceeded his authorisation. An employee who has exported data to a private laptop has not thus acquired the status of controller. The Warsaw University of Life Sciences, as the controller, should have full control over the data processing operations in order to prevent the occurrence of events exposing data to unauthorised persons. It also has to verify the behaviour of employees to ensure that they comply with the rules on the protection of personal data. The Supreme Administrative Court considered that the Warsaw University of Life Sciences had failed to fulfil its obligations in this area.

ZSOŚS.421.25.2019

WSA: sygn. akt II SA/Wa 2129/20

NSA: sygn. akt III OSK 6801/21