The SGGW has not implemented technical and organizational measures sufficient in order to guarantee the personal data security of candidates to studies, it has confirmed the Administrative Provincial Court of Warsaw (WSA) in its verdict of the 13th of May 2021. The WSA has confirmed the decision of the UODO president to impose a sanction of 50.000 PLN to the university.
The case processed by the WSA refers to the decision of the UODO president connected to the personal data protection breach of candidates to studied to SGGW in November 2019. During that period, there was a theft of a private portal of an employee of the university, in which were stored personal data of university’s candidates. A subsequent inspection, as well as an administrative provision by UODO has detected irregularities by the data controller, which has been concluded with a sanction.
In front of the Court, the university has tried to demonstrate that was not the data controller of data that were inside the stolen private pc of the employee. According to its opinion, it has been the employer that was the data controller of the processing, because without the knowledge of the administrator and in breaching inner procedures, it has processed recruiting data of students for a period of 5 years on its private equipment.
The university has specified in its regulation that personal data of candidates to studies shall be processed for a period of maximum three months.
The administrative court was not in agreement with the university and has indicated that UODO was right to recognize the SGGW as data controller. The court has underlines that according to the definition of the data controller into the GDPR, it was the university that was carrying out that role, because it was deciding the purposes and ways of processing personal data of candidates. The employee to which has been stolen the device which was including personal data was not a body who was deciding automatically purposes and ways of the processing. It has performed the processing activities because he was an employee of the university, affected into the proceeding of subscription of students.
The Court has underlines that an employee of the university does not act as a juridical separate entity. Its actions are the actions of the employer, who is assuming his responsibilities, by storing the possibility to enforce the compensatory, disciplinary and administrative responsibility against the employee. The assessment of this situation has not changed by the fact that actions of the employee have been beyond the tasks entrusted to him.
The WSA has agreed with the Authority that the university has breached a series of principles of the GDPR, among which the integrity and confidentiality principle, according to which personal data shall be processed in order to guarantee their adequate security, including the proception against the unauthorized or illegal processing and the accidental lack, disruption or the damage, by technical or organizational measures. The Court has noted that the data controller has not carried out a risks assessment and has not assessed all the risks that he was facing with. Consequently, he has not implemented technical and organization measures in order to protect personal data processed. The threat for processed data by SGGW was the possibility to export data by the System of the Service of the Candidate to an external vector without registering this process in the informatic system.
The court has agreed with the supervisory body of the University that has not controlled the processing of personal data, to which has participated its employee, neither has verified the fairness of its actions.
The WSA has also confirmed that UODO has correctly imposed a sanction to the university, by keeping in mind all the circumstances included into the article 83(2) of the GDPR.
Wyrok z 13 maja 2021 r. (1)SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELLA POLONIA – UODO