The Warsaw University of Life Sciences – €11,500 Fine (Poland, 2020)

A university employee used their private computer for business purposes, including for processing the personal data of study candidates at SGGW. The employee's device was stolen, which led to the personal data of up to 100000 data subjects being compromised. Furthermore, the records included the data of candidates from the last 5 years, although the prescribed storage period at SGGW was 3 months from the completion of the recruitment process. Among others, the data included contact details, grades from diplomas, average grade from studies, and the field of study for which the candidate was applying. Had the SGGW, acting as data controller, implemented appropriate technical and organisational measures to ensure the security of the personal data? The UODO held that the SGGW had not taken sufficient technical and organisational measures to ensure a level of protection appropriate to the risks of the processing operation. In its reasoning, the DPA emphasised that such measures should include the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of the processing systems, as well as a process for regularly testing, assessing, and evaluating the effectiveness of the measures put in place. Furthermore, the UODO held that the Data Protection Officer (DPO) did not have due regard to the risks associated with the processing operations. The DPO was not involved by the SGGW in the recruitment process, including the functioning of the IT system used for this purpose. The DPA emphasised that an increased involvement of the DPO by the university could reduce the risks of inappropriate processing operations.