The Voivodeship Administrative Court has dismissed Delta KTW’s and InterSYS’ complaints
In its judgment of 3 July 2025 in case II SA/Wa 2056/24, the Voivodeship Administrative Court in Warsaw has dismissed Delta KTW Sp. z o. o.’s complaint in its entirety and InterSYS s.c.’s complaint in respect of point II of the decision of the President of the Personal Data Protection Office (DKN.5131.1.2021). In the verbal grounds for its decision, the Administrative Court fully accepted the line of argument put forward by the supervisory authority in the contested decision.
The case concerned the decision of the President of the Personal Data Protection Office, Mirosław Wróblewski, which constituted a basis for administrative fines imposed: for the limited liability company Delta KTW (which is the legal successor of the entity being subjected to the sanction, a natural person conducting business activity) - the data controller - in the amount of PLN 353 589 and the partners of the civil law company InterSYS - the processor - in the amount of PLN 9 822.
Inadequate data protection measures and lack of risk analysis
The Court pointed out that the data controller (Delta KTW Sp. z o.o.) did not implement appropriate technical and organisational security measures before the occurrence of the personal data breach, because it did not conduct a risk analysis for the personal data processing operations carried out. Consequently, the controller infringed Art. 1 lit. f) GDPR the principle of data confidentiality and further the principle of accountability (Art. 2 of the GDPR). The measures implemented after the infringement were also not preceded by a risk analysis. As a result, the controller was once again unable to demonstrate that the measures implemented by it were adequate to the risk of a ransomware attack.
Breaches of controller’s obligations to inform data subjects
The Court agreed with the supervisory authority that the controller failed to comply with its obligation to inform data subjects, by failing to provide data subjects with information on the possible consequences of the breach and the remedial measures they can take to minimise the negative effects of the breach. (Art. 34 (2) in conjunction with Article 33(3) (c) and (d) GDPR).
Lack of testing and supervision of the processor
The controller did not demonstrate that it regularly tested, assessed and evaluated the implemented security measures. As a result, the controller could not quickly restore the availability of the data affected by the ransomware attack. The court also confirmed that the controller did not properly verify the processor (partners of InterSYS s.c.), limiting itself to concluding a contract for entrusting data processing without carrying out any audits or inspections at the processor’s.
As a result of the deficiencies found, the President of the Personal Data Protection Office correctly issued an order to the controller to adapt the processing operations, concerning the implementation of technical and organisational security measures for processing on the basis of a prior risk analysis.
Role and responsibility of the processor
The Court has confirmed the President’s of the Personal Data Protection Office findings that the partners of InterSYS s.c., as IT professionals, were aware of the downsides of the server software used, and yet did not inform the controller of the need to update it or implement newer software. Their failure to do so, knowingly and negligently, directly contributed to the breach. Despite the knowledge of the processor's shareholders about the existing vulnerabilities in the server software, they did not notify the controller of this fact, which, as the Court rightly pointed out, excludes the possibility of assuming that the processor complied with the obligation to provide the controller with "assistance" taking into account the "information available to it" (Art. 28( 3)(f) GDPR).
Amount of the fine proportional to the breach
In the opinion of the Court, the President of the Personal Data Protection Office gave detailed and correct reasons for the amount of the fines imposed, which fulfil their functions: are effective, proportionate and dissuasive.
The case concerns the President’s of the Personal Data Protection Office decision DKN.5131.1.2021