Some companies that have chosen us

Privacy Officer and Privacy Consultant
CDP Scheme according to ISO/IEC 17024:2012
European Privacy Auditor
ISDP©10003 Certification Scheme according to ISO/IEC 17065:2012
According to standard UNI 11697:2017
Lead Auditor ISO/IEC 27001:2022
According to standard ISO/IEC 17024:2012
Data Protection Officer
According to standard ISO/IEC 17024:2012
Anti-Bribery Lead Auditor Expert
According to standard ISO/IEC 17024:2012
ICT Security Manager
According to standard UNI 11506:2017
IT Service Management (ITSM)
According to the ITIL Foundation
Ethical Hacker (CEH)
According to the EC-Council
Network Defender (CND)
According to the EC-Council
Computer Hacking Forensics Investigator (CHFI)
According to the EC-Council
Penetration Testing Professional (CPENT)
According to the EC-Council

Professional qualifications

Stay up-to-date with world news!

Select your topics of interest:


Home / News
POLISH SUPERVISORY AUTHORITY: Media with personal data must be protected

POLISH SUPERVISORY AUTHORITY: Media with personal data must be protected

The President of the District Court did not secure the company’s data carriers, but only instructed his employees to do it themselves. However, he, as the data controller and not the user of the carrier, is responsible for implementing appropriate technical and organizational measures to ensure adequate data security. For lack of such solutions, the supervisory authority imposed on the President of the Court an administrative fine of 10 thousand PLN.

The decision to impose the fine is connected with the notification of a personal data protection infringement by the President of the District Court in Zgierz, consisting of the loss of an unencrypted portable memory stick by a probation officer. The data of 400 people under probationary supervision and subject to community interviews was stored on the memory stick. Due to the scope of the personal data disclosed, the indicated breach caused a high risk of infringement of rights or freedoms of natural persons, therefore the administrator published a notice of the breach on the website of the District Court in Zgierz.

The lost and at the same time unsecured memory carrier has not been found so far, so an unauthorized person or persons may still have access to the personal data contained therein.

In the course of the proceedings before the Office for the Protection of Personal Data, the controller indicated in his explanations that he had implemented a personal data protection system in the form of personal data processing rules. The documentation is regularly updated and audited by a data protection officer appointed for this purpose. Moreover, the controller assured that it undertook actions in the form of on-site and e-learning trainings for the Court’s employees (including probation officers) regarding personal data protection and the records of the implemented documentation, on-duty inspections by the DPO at the controller’s premises, on-line inspections and ad hoc inspections conducted by the DPO during the on-duty inspections.

However, according to the documents binding for the controller, the obligation to secure the media rests with the users. According to the DPO, such an approach is inappropriate. The investigation showed that the controller violated, among others, the principle of confidentiality and integrity of personal data by issuing unsecured portable storage media to probation officers for their official use and obliging them to implement the security measures for the storage media themselves. The consequence of failing to implement appropriate organizational and technical measures if a probation officer loses such a carrier is that unauthorized persons can access the personal data contained therein.

It is worth mentioning that it is necessary and needed to carry out trainings of employees in the field of personal data protection, however, they cannot be considered as appropriate organizational measures in this particular case and they should also not replace solutions of technical nature, which were not foreseen by the controller. Moreover, in this case, the controller left the actual securing of the carrier to its user, without indicating any exemplary and adequate safeguards that the employee may apply. It should be borne in mind that employees, as was the case here, may not have knowledge of how to secure personal data media. The actions applied by the President of the Court cannot therefore be considered as the implementation of adequate technical or organizational measures.

It should be pointed out that it is the data controller, and not the employee or person performing official tasks, who is obliged to implement appropriate technical and organizational measures so that the processing is carried out in accordance with the requirements of the GDPR.

When setting the amount of the administrative fine, the DPA took into account as a mitigating circumstance the good cooperation of the President of the Court with the supervisory authority undertaken and carried out in order to remove the infringement and mitigate its possible negative effects.

Recommended to you

Advanced Research