Speech of the President of the PL SA before the Committee on Children and Youth
The President of the Office for Personal Data Protection, Mirosław Wróblewski, presented to the Children and Youth Parliament comprehensive information on the situation of children and young people in the context of cyber conflicts, the resilience of educational institutions and social organisations working with children, the protection of personal data, the scale and types of attacks and the related organisational and legislative challenges.
The speech of the President of the Personal Data Protection Office included a review of all relevant issues, the Office's conclusions and a recommendation for institutions, local governments and legislators. The President of the Personal Data Protection Office was invited to appear before the Commission by its chairman, Monika Rosa.
As noted by the President of the Personal Data Protection Office, children and young people are a particularly vulnerable group, as they have limited experience and awareness of the risks associated with the processing of personal data.
Cyber threats
This year, the Personal Data Protection Office recorded a significant number of reports of cybersecurity incidents in educational institutions, which justifies the inclusion of this area in sectoral inspections in 2025. It was identified that the main sources of risk are of an organisational and training nature, and also result from weak technical security. Among the most frequently reported incidents were cases of unauthorised access to teachers' accounts in electronic diary systems, password theft, and effective phishing and social engineering attacks leading to account takeovers. There was also unknowingly sharing documents containing student data on public platforms such as Scribd or Docer.
Another major threat was ransomware attacks, leading to loss of access to school networks, as well as user errors resulting from a lack of procedures and proper training, including saving passwords in browsers and using private accounts for work purposes.
In the opinion of the President of the Personal Data Protection Office, the reasons for the vulnerability of facilities to such threats are primarily the lack of a consistent information security policy, the use of private resources for official work, the low level of implementation of technical mechanisms, such as two-factor identity verification and data encryption, as well as insufficient and irregular staff training and the lack of incident response procedures.
Initiatives of the Personal Data Protection Office
The President of the Personal Data Protection Office also pointed to the actions he undertook. For 15 years, the Personal Data Protection Office has been implementing the "Your Data – Your Concern" program, which includes about 5 thousand lessons and events annually with the participation of 50 thousand students and over 5 thousand teachers. The Personal Data Protection Office also cooperated with the Ombudsman for Children and the Orange Foundation, which resulted in practical guides, such as "Image of a child on the Internet. To publish or not?", as well as materials for sports clubs and non-governmental organisations. The Office operates internationally in the Digital Education Working Group, a working group operating within The Global Privacy Assembly, co-creating educational publications.
Legislation
Legislative activity also remains an important area, including the preparation of opinions on draft legal acts concerning minors in relation to international guidelines. The Personal Data Protection Office monitors the process of implementation of solutions resulting from the eIDAS 2 Regulation, promoting the concept of the European Digital Identity Portfolio, and undertakes project initiatives, such as the application submitted under the CERV-2025-CHILD call.
Safety rules and upskilling
As part of the recommendations for educational institutions and organisations working with children, the Personal Data Protection Office pointed to the need to implement and enforce information security policies, provide employees with work e-mail boxes, mandatory use of two-factor authentication in critical systems and data encryption.
It also highlighted the importance of regular training and exercises on data protection and cyber hygiene, the application of safe content sharing rules, as well as the preparation of incident response plans. An important element is the introduction of efficiency metrics, such as the percentage of systems secured by 2FA, the number of trainings conducted or the response time to an incident.
With regard to applications for public decision-makers, the President of the Personal Data Protection Office drew attention to the obligation to provide financing and technical support for facilities so that they can implement basic IT security and provide system administrator service.
During the meeting, the need to establish a regulatory safety minimum for schools, including mandatory technical and organisational mechanisms and the obligation to report significant incidents, was outlined. The importance of solutions compliant with eIDAS 2 as age verification tools while maintaining the principle of data minimisation and the necessity of coordinating inter-ministerial activities and the Personal Data Protection Office were also emphasised.
International cooperation
The PL SA works for the digital education of children as part of the Digital Education Working Group, a working group functioning within The Global Privacy Assembly (GPA). The aim of DEWG is to promote digital education of various actors, respecting children's rights and freedoms, raising their awareness through education, and helping children to become responsible digital citizens, exercising their rights, while maintaining the principle of parental responsibility.
What we plan
As part of the planned activities, the Personal Data Protection announced the organisation of seminars for controllers and service providers, further sectoral inspections and the publication of recommendations and policy templates for schools. The Office will also offer educational materials and support to local governments, kindergartens and non-governmental organisations, and cooperate with digital platforms in the scope of obligations arising from the DSA.
The Personal Data Protection Office puts the protection of children's rights to privacy and security in the digital space in the first place and declares its readiness to continue cooperation with the Commission, ministries, local governments and the educational community. The Personal Data Protection Office is available to provide detailed materials, conduct seminars, provide policy templates and substantive support for legislative activities and practical implementation in institutions.