Cybersecurity training organised by the President of the Personal Data Protection Office and the Church Data Protection Officer – a report

On April 20, 2026, the Personal Data Protection Office, in cooperation with the Church Data Protection Officer, organised a training session for church data protection officers, priests, nuns, staff members, and volunteers from various organisations within the Catholic Church. Over 370 people participated in the online event.

Mirosław Wróblewski, President of the Personal Data Protection Office, emphasised the role of data protection officers in supporting controllers in fulfilling their obligations under the GDPR—which include, among other things, implementing appropriate technical and organisational measures. Threats to personal data protection are constantly evolving and growing in scale—thereby increasing the risk to ensuring the legally required protection of personal data—the President of the Personal Data Protection Office emphasised.

“During the Data Protection and New Technologies Congress, a panel discussion aimed at churches and religious organisations clearly highlighted the fact that the organisational units of churches and other religious organisations are also victims of cyberattacks. In light of these signals, we have launched joint educational initiatives with the Church Data Protection Officer in this regard,” concluded Mirosław Wróblewski, President of the Personal Data Protection Office.

Priest, Prof. Piotr Kroczek, Ph.D., emphasised that it is essential to make long-term investments—specifically in the area of technical and organisational measures. He noted that such actions must stem from “foresight” and a forward-looking mindset.

In the next part of the meeting, Artur Klepacki, Director of the IT and Cybersecurity Department at the Personal Data Protection Office, introduced the audience to the topic of implementing appropriate security architecture in the age of AI. He emphasised that there has been a paradigm shift in the activities of cybercriminals—they no longer consist solely of attacks on infrastructure, but are actions directed directly against people, constituting an “attack on our minds.” During the meeting, Artur Klepacki emphasised that humans are the “last line of defense” against attacks—which is why one should follow the principle of limited trust, immediately update software, and apply “security patches.” It is also very important to separate one’s private life from one’s professional life.

Cyber hygiene empowers individual users—it enhances their security in the face of the evolving nature of cybercrime. Applying the principle of limited trust, keeping software up to date, and using strong passwords—these practices apply to both individual users and administrators. Artur Klepacki added that, in addition to these measures to enhance network security, it is important to emphasize the use of appropriate solutions across the entire network infrastructure and the inventory of its resources. The processing of personal data by administrators also requires informing users about the possible monitoring of their online activities—in accordance with the principle of data minimisation set forth by the GDPR.

In the second part of the training, Priest Daniel Budziński discussed the most common challenges parishes face in their daily digital security practices. Improving digital security can be aided by applying principles of caution and foresight—even those that are obvious but not always followed—such as software updates, using sufficiently long and unique passwords, or multi-factor user authentication.

The meeting was coordinated and moderated by Jakub Groszkowski, counselor and chief coordinator for personal data protection in churches and religious associations at the Personal Data Protection Office. In his summary, he emphasised that very often the weakest link in a controller's personal data protection system is the human factor, which is why it is so important to build awareness of personal data protection and cybersecurity in organisations, including organisational units of churches and other religious associations.

The Personal Data Protection Office plans to organise another similar event in cooperation with the Church Data Protection Officer of the Polish Autocephalous Orthodox Church.

Below you will find training materials in the form of presentations used during the training.