Prezes Urzędu Ochrony Danych Osobowych – Court Ruling (Poland, 2021)

On 20 August 2020, the Polish DPA [https://gdprhub.eu/index.php%3Ftitle=UODO_-_ZSO%C5%9AS.421.25.2019 imposed a fine] of approximately €11,000 on the Warsaw University of Life Sciences (SGGW) for failing to implement sufficient technical and organizational measures to prevent exposure of over 80000 records about study candidates. The data breach occurred as a result of a theft of a university employee's private laptop, on which the personal data of candidates for studies had been saved. The university argued that it had not been a controller of the data stored on the stolen device. Instead, it was the employee acting without knowledge of SGGW and in violation of internal procedures. The court fully upheld the DPA's decision and stated that the SGGW had violated the GDPR. The court disagreed with the argument that the SGGW had not been a data controller in the case. The university determined the purposes and means of the processing of personal data. Its employee was always acting on behalf of the university. Subsequently, the court agreed with the DPA that the university violated several provisions of the GDPR, including the principle of integrity and confidentiality and that the fine was correctly imposed.