Ikonka home dla okruszków News and events
photo
22.04.2025

The Supreme Administrative Court upholds the decision of the President of the Polish SA

The Supreme Administrative Court upholds the decision of the President of the Personal Data Protection Office concerning Medical University of Silesia

The Supreme Administrative Court issued a judgment in which it upheld the decision of the President of the Personal Data Protection Office, among others imposing an administrative fine of PLN 25,000 on the Medical University of Silesia in Katowice for failure to notify a personal data breach and failure to communicate the breach to data subjects.

Uploading of exam recordings on the university platform

Recordings of practical examinations in paediatrics have been made available on the platform operated by the Medical University of Silesia in Katowice. Students taking the exam were mostly identified on presentation of a student card or ID card.

Many people logged on to the platform or sent each other links to shared recordings. When checking the links, it also turned out that it has been possible to view the recording without having to log in.

The alarmed students began to check whether the data from their identity documents were visible on the recordings. They also indicated that they had not been informed before taking the exam that they would be made available on the platform.

The proceedings concerning personal data breach

In connection with the above, the President of the Personal Data Protection Office initiated administrative proceedings to determine whether there was a violation of the personal data protection provisions concerning the obligation to notify a personal data breach to the supervisory authority (Art. 33 (1) GDPR) and communicate it to data subjects where a personal data breach may result in a high risk to the rights and freedoms of natural persons (Art. 34(1) GDPR).

In its explanations addressed to the supervisory authority, the controller indicated, among others, that:

- the data on the documents may have remained illegible or only partially legible,

- it has not received information indicating unauthorised use of personal data made available as a result of the breach in question,

- members of the academic community are obliged by the University Statutes to comply with internal regulations, including those relating to the protection of privacy.

Referring to the above argumentation, the President of the Personal Data Protection Office once again stressed that in such a case it is not important whether the unauthorised recipient actually came into possession and became acquainted with the personal data of other persons, but that such a risk occurred and, as a consequence, there was also a potential risk of violation of the rights and freedoms of data subjects.

The authority further explained that in the present case there was a risk of unauthorised acquisition of personal data. Contrary to the claims of the controller, it cannot be assumed that the fact that persons having access to the platform remain in a relationship with the controller guarantees the confidentiality of the data.

With regard to the question of the illegibility of the photographs, the supervisory authority pointed to the existence of programmes enabling the appropriate processing of photographs or recordings that allow the data contained therein to be read.

When assessing the controller’s behaviour, the supervisory authority also took into account the extent of the personal data disclosed in the recordings. In addition to the information collected on student cards or ID cards, it was also possible to disclose other data related to taking the exam, i.e. image, voice, information about the group, year of study, field of study, subject and answers given during the exam. The loss of control over these data could therefore have additional consequences, severe for the recorded students.

Proceedings before the Voivodeship Administrative Court

The Medical University of Silesia lodged a complaint with the Voivodeship Administrative Court in Warsaw against the decision of the President of the Personal Data Protection Office, alleging, inter alia:

  • oversight regarding the assessment of the actual and real risk of using the disclosed personal data due to the low quality of the recorded film material, which makes it impossible to read the data from the documents presented by students;
  • failure to appoint an appropriate digital image processing expert to determine whether it was in fact technically possible to read and use the data from the documents disclosed in the recordings.

The Voivodeship Administrative Court did not accept the above argumentation, admitting that it is not necessary for the risk materialising to take effect in order for the controller to be obliged to notify a personal data breach (Art. 33(1) GDPR) and communicate the breach to persons affected by this violation (Art. 34(1) GDPR). It is clear from the wording of the above articles that the mere risk of such a breach obliges the controller to take appropriate action.

The Voivodeship Administrative Court also confirmed that the University had not carried out an appropriate risk analysis, relying, mostly on the argument that the recordings were illegible, that no reports of adverse effects of their publication had been received and that there was a small group of people who could have access to them. However, these assumptions were insufficient to release the controller from the obligations set out in Article 33(1) and Article 34(1) GDPR.

The court also emphasised that the data controller allowing the use of means of communication in the form of the possibility of recording exams should be aware of the risks associated with improper protection of recordings against unauthorised access and, in order to minimise them, take appropriate organisational and technical measures already at the stage of their implementation.

Proceedings before the Supreme Administrative Court

The Medical University of Silesia brought a cassation appeal before the Supreme Administrative Court, essentially upholding the pleas raised at the stage of the first-instance proceedings.

The Supreme Administrative Court agreed with the position of the supervisory authority and dismissed the appeal lodged by University.

Responding to the allegation of failure to appoint an expert, it pointed out that the President of the Personal Data Protection Office shall be included in the group of specialised administration bodies, which means that he has staff specialised in the tasks and competences entrusted to him. However, from the point of view of the data protection authority, those conditions, which for an ordinary citizen constitute a range of expertise, are examined without the need to seek the assistance of experts in the field in question, since his employees  within the office can assess them on the basis of their own expertise.

The Supreme Administrative Court also pointed out that the risk assessment is within the right of the personal data controller, but that, contrary to the complainant's view, a risk assessment, when incorrectly performed is subject to sanctions. The essence of the personal data breach procedure is to examine by the supervisory authority whether the controller has carried out a correct risk assessment in a given case.

It is not a question of carrying out any risk assessment, but the one that pursues the underlying objective of  Articles 33(1) and 34(1) GDPR, i.e. ensuring the highest level of protection of personal data, also in a crisis situation that may involve the occurrence of a personal data breach.

 

 

phone
Infoline (in Polish) UODO 606-950-000 Operates on weekdays from: 10:00-14:00
© UODO 2018 - 2025
Copyright.
Urząd Ochrony Danych Osobowych
map pin ul. Stawki 2, 00-193 Warszawa
envelope kancelaria@uodo.gov.pl
clock Working hours of the office: 8 a.m. – 4 p.m.
© UODO 2018 - 2025
Copyright.