In 2019, an incident occurred that shook the academic community and drew attention to the importance of personal data protection in public institutions. The data of prospective students at the Warsaw University of Life Sciences (SGGW) was unlawfully processed and exported to the private computer of one of the employees. Unfortunately, as a consequence of the theft of this device, the confidentiality of the personal data was breached.
The President of the Personal Data Protection Office (UODO), after conducting an investigation, imposed a fine of PLN 50,000 on the university for violating the regulations on the protection of personal data. This decision was appealed by SGGW, which first appealed to the Voivodship Administrative Court (WSA), and then filed a complaint with the Supreme Administrative Court (NSA). Finally, on February 7, 2025, the NSA dismissed the university’s complaint, upholding the position of UODO.
The University is Responsible for Data Security
In its defense, SGGW argued that the responsibility for the incident lay with the employee, who had acted outside the scope of his granted powers, processing data on a private laptop. The NSA did not share this view, pointing out that the university, as a data controller, bears full responsibility for the data processing process. The court concluded that while the employee had exceeded his powers, he did not thereby become the data controller. The responsibility for the breach still rested with SGGW.
The NSA stressed that the data controller – in this case, the university – should have full control over the processing of personal data. This includes both the implementation of appropriate procedures and monitoring employee actions to ensure compliance with data protection regulations. In the court’s opinion, SGGW did not fulfill its obligations in this respect, leading to the breach of the confidentiality of the candidate’s personal data.
Decisions of Administrative Courts
The Voivodship Administrative Court (file reference number II SA/Wa 2129/20) also did not consider the university’s complaint, considering the decision of UODO justified. In its ruling, it emphasised that the data controller must anticipate risks associated with the processing of personal data and take preventative actions. The NSA (file reference number III OSK 6801/21) maintained this interpretation, highlighting that the lack of appropriate control and supervision on the part of the data controller led to the incident.
A Lesson for Public and Private Institutions
The NSA’s verdict is an important precedent, reminding us of the importance of adhering to personal data protection principles in organizations. Responsibility for violating the regulations rests with the data controller, who must ensure appropriate procedures and control over the processing process. The implementation of effective security measures and training employees in data protection are key actions that can prevent similar situations in the future.
Source: https://managerplus.pl/sggw-ukarana-za-naruszenie-ochrony-danych-osobowych-nsa-oddalil-skarge-uczelni-44281
