Krajowa Szkoła Sądownictwa i Prokuratury (National School of Judiciary and Public Prosecutor) – Court Ruling (Poland, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The National School of Judiciary and Public Prosecutor (also known as KSSiP, the controller) notified the DPA regarding a data breach in April 2020. The national police notified the controller of the appearance of personal data on the internet related to the controller’s website domain. The data breach involved the access to a copy of the controller’s training site database created during a test migration to a new training platform. This led to the disclosure of personal data of over 50,000 people whose data was collected on the training platform, including judges, prosecutors and law clerks. Following an investigation, the DPA fined the controller PLN 100,000 (€22,000) for failing to implement appropriate technical and organisational measures. According to the DPA, the controller had not properly taken the risks of processing into account, as it did not carry out an impact assessment on the effectiveness of the measures. Furthermore, the controller had not fulfilled several obligations as a controller. For example, the controller had not verified whether its instructions were being complied with by the company hired to carry out the database migration (the processor). In its decision, the DPA stated that the controller violated Articles 5(1)(f), Article 24(1), Article 25(1), 28(3), Article 32(1) and Article 32(2) GDPR. The DPA decided not to fine the processor, as it had complied with its obligations under the GDPR; here, the DPA stated that the data breach occurred as a result of the actions taken by the controller. The controller appealed the case to the Administrative Court, who upheld the reasoning of the DPA in August 2022. The controller later appealed the case to the Supreme Administrative Court. The controller argued that it had implemented sufficient technical and organisational measures, and that the Administrative Court had not had not fully assessed the factual circumstances of the case and had applied the GDPR erroneously by placing all of the resp
GDPR Articles Cited
The National School of Judiciary and Public Prosecutor (also known as KSSiP, the controller) notified the DPA regarding a data breach in April 2020. The national police notified the controller of the appearance of personal data on the internet related to the controller’s website domain. The data breach involved the access to a copy of the controller’s training site database created during a test migration to a new training platform. This led to the disclosure of personal data of over 50,000 people whose data was collected on the training platform, including judges, prosecutors and law clerks. Following an investigation, the DPA fined the controller PLN 100,000 (€22,000) for failing to implement appropriate technical and organisational measures. According to the DPA, the controller had not properly taken the risks of processing into account, as it did not carry out an impact assessment on the effectiveness of the measures. Furthermore, the controller had not fulfilled several obligations as a controller. For example, the controller had not verified whether its instructions were being complied with by the company hired to carry out the database migration (the processor). In its decision, the DPA stated that the controller violated Articles 5(1)(f), Article 24(1), Article 25(1), 28(3), Article 32(1) and Article 32(2) GDPR. The DPA decided not to fine the processor, as it had complied with its obligations under the GDPR; here, the DPA stated that the data breach occurred as a result of the actions taken by the controller. The controller appealed the case to the Administrative Court, who upheld the reasoning of the DPA in August 2022. The controller later appealed the case to the Supreme Administrative Court. The controller argued that it had implemented sufficient technical and organisational measures, and that the Administrative Court had not had not fully assessed the factual circumstances of the case and had applied the GDPR erroneously by placing all of the resp
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Krajowa Szkoła Sądownictwa i Prokuratury (National School of Judiciary and Public Prosecutor) in PL
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Krajowa Szkoła Sądownictwa i Prokuratury (National School of Judiciary and Public Prosecutor) - Poland (2025). Retrieved from cookiefines.eu
Last updated: