Ikonka home dla okruszków News and events
photo
22.12.2025

Fine for Poviat Sanitary Inspector in the city of Police

The President of the Personal Data Protection Office, Mirosław Wróblewski, imposed an administrative fine of PLN 20 000 on the Poviat Sanitary Inspector in the city of Police for failing to implement appropriate technical and organisational safeguards and to test them regularly.

Poviat Sanitary Inspector in Police reported in 2023 that an employee had lost a private, unencrypted and not password-protected pendrive with data of 4200 people, including those with Covid, i.e. health data collected until 2021, as well as data of 300 administrative proceedings conducted by Poviat Sanitary Inspector.

This notification has prompted the President of the Personal Data Protection Office to assess the controller’s compliance with its obligations under the GDPR. The President of the Personal Data Protection Office conducted an investigation and initiated administrative proceedings in the course of which it was found, inter alia, that the data controller had not carried out a proper risk analysis and had no separate regulations on the management of external data storage devices. Their use was simply prohibited. However, the risk that the employee will benefit from such a storage device has been estimated as low and no action requiring  This assumption was not adequately tested.

This event was identified by the President of the Personal Data Protection Office as a breach of the principle of integrity and confidentiality (Article 5(1)(f) GDPR) and the accountability principle (Article 5(2) GDPR). 

It was only when the President of the Personal Data Protection Office dealt with the case that the controller checked the safeguards and blocked the possibility of copying the data on external storage devices.

In its decision, the President of the Personal Data Protection Office recalls that the GDPR protects personal data by managing risks, which are a continuous process. The controller is to carry out a detailed analysis of the data processing operations and a risk assessment by itself, followed by measures and procedures that are appropriate to the assessed risk. The GDPR does not presuppose the existence of lists of requirements to be fulfilled. No specific security measures and procedures are indicated to the controllers.

This means that each controller must be able to prove to the supervisory authority that:

• the arrangements put in place to ensure the security of personal data are adequate to the level of risk;

• and take into account the nature of the organisation and the personal data processing mechanisms used.

What matters in this case is that the controller who processed health data from the whole poviat – prior to the personal data breach – carried out the risk analysis incorrectly – because it was too vague. As a result, it could not select risk-appropriate security measures, which led to the incident.

The controller carried out a proper risk analysis only after the personal data breach was notified to the President of the Personal Data Protection Office. Risks in the area of processing of personal data on external data carriers have been assessed at an acceptable level, but after taking into account safeguards such as the blocking of USB ports against the possibility of using private external data storage devices.

The President of the Personal Data Protection Office, Mirosław Wróblewski, considered that the infringement of the GDPR found in the present case was of considerable gravity and serious nature, as it posed a high risk of adverse effects on data subjects. There is no evidence that the personal data processed on the unsecured storage device have not been displayed to third parties.

The long duration of the breach of the GDPR must also be taken into account to the detriment of the controller.

The controller has not acted deliberately, but has made numerous omissions which have the effect of significantly increasing the risk of breaching the confidentiality of the data processed, which is evidence of gross negligence on the part of the controller and constitutes a significant aggravating circumstance.

After the incident, the controller took actions that undoubtedly contributed to strengthening information security. For the supervisory authority, this is an important signal that the controller was aware of its deficiencies in the area indicated.

According to the supervisory authority, those circumstances show that the controller could and should have foreseen that the solutions which it had adopted did not ensure an adequate level of security for personal data processed using private storage media by employees, but that the incorrect analysis had led to further irregularities. The outcome of the proceedings before the President of the Personal Data Protection Office is therefore not only to improve the way in which the controller protects its data, but also to impose a fine.

Decision in Polish: https://orzeczenia.uodo.gov.pl/document/urn:ndoc:gov:pl:uodo:2024:dkn_5131_3/content?query=

phone
Infoline (in Polish) UODO 606-950-000 Operates on weekdays from: 10:00-14:00
© UODO 2018 - 2026
Copyright.
Urząd Ochrony Danych Osobowych
map pin ul. Stanisława Moniuszki 1A, 00-014 Warszawa
envelope kancelaria@uodo.gov.pl
clock Working hours of the office: 8 a.m. – 4 p.m.
© UODO 2018 - 2026
Copyright.