The Supreme Administrative Court dismissed the cassation appeal

The Supreme Administrative Court dismissed the cassation appeal lodged by the National School of Judiciary and Public Prosecution.

The Supreme Administrative Court dismissed the cassation appeal of the National School of Judiciary and Public Prosecution (KSSiP), which disagreed with the PLN 100,000 fine imposed by the President of the Personal Data Protection Office for violating personal data protection regulations.

The case dates back to 2020, when the KSSiP notified a personal data breach to the President of the Personal Data Protection Office. The reason was a large-scale leakage of data concerning thousands of judges, prosecutors, court assessors and prosecutor’s assessors onto the internet. It occurred during the migration of data to a training platform. The categories of personal data affected by the breach included not only first names, surnames and email addresses, but also access passwords and IP addresses.

During the proceedings, the President of the Personal Data Protection Office established that the KSSiP had outsourced the data processing to an external company (the processor) and that it had been carried out with negligence of the appropriate technical and organisational measures (among other things, the controller failed to check whether the copy of the data had been deleted from the server after the migration).

In connection with the situation, the President of the Personal Data Protection Office imposed an administrative penalty of PLN 100,000 on the National School of Judiciary and Public Prosecution. The reason for the penalty was not the fact of the data breach itself, but the circumstance that the KSSiP did not sufficiently verify the environment or engage a processor in determining whether the data was sufficiently secured.

The KSSiP disagreed with the President's of the Personal Data Protection Office arguments, pointing out that the security measures provided during the migration process were sufficient and that the error, resulting from the work of one of the IT specialists, was committed by an external company. The KSSiP also disagreed with the amount of the penalty imposed.

The President of the Personal Data Protection Office did not accept these explanations. The Voivodeship Administrative Court did the same, emphasising that responsibility for the data processing operation rests at all times with the controller, not the processor.

Ultimately, the case was decided by the Supreme Administrative Court, which noted in its ruling that the KSSiP had not made any efforts to secure the entire data migration process, nor had it informed the external company about its expectations regarding this operation. According to the Supreme Administrative Court, the controller is the initiator of the activities as the entity deciding on the purposes and means of processing. Whether the leakage occurred as a result of an error by an employee of the external company or for other reasons is irrelevant to the controller's liability under Article 32 of the GDPR.

The Supreme Administrative Court also stated that the amount of the administrative penalty was not in doubt. It also noted that, given the scale of the violations committed by the controller, the penalty would be much higher in the case of a private entity (in the case of a public entity, there is a statutory upper limit of PLN 100,000).