Krajowa Szkoła Sądownictwa i Prokuratury (National School of Judiciary and Public Prosecutor) – Court Ruling (Poland, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The National School of Judiciary and Public Prosecutor in Poland reported a data breach where personal data of over 50,000 people was exposed online. The data included information about judges and prosecutors, and the school was found to have not taken proper security measures. This case highlights the importance of implementing strong data protection practices to prevent breaches.
What happened
A data breach exposed personal data of over 50,000 individuals associated with the National School of Judiciary and Public Prosecutor.
Who was affected
Judges, prosecutors, and law clerks whose personal data was collected on the school's training platform.
What the authority found
The DPA ruled that the school failed to implement adequate security measures, violating multiple GDPR requirements.
Why this matters
This ruling emphasizes that organizations must take data protection seriously and implement effective security measures. It serves as a reminder for all companies to regularly assess their data handling practices.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The National School of Judiciary and Public Prosecutor (also known as KSSiP, the controller) notified the DPA regarding a data breach in April 2020. The national police notified the controller of the appearance of personal data on the internet related to the controller’s website domain. The data breach involved the access to a copy of the controller’s training site database created during a test migration to a new training platform. This led to the disclosure of personal data of over 50,000 people whose data was collected on the training platform, including judges, prosecutors and law clerks. Following an investigation, the DPA fined the controller PLN 100,000 (€22,000) for failing to implement appropriate technical and organisational measures. According to the DPA, the controller had not properly taken the risks of processing into account, as it did not carry out an impact assessment on the effectiveness of the measures. Furthermore, the controller had not fulfilled several obligations as a controller. For example, the controller had not verified whether its instructions were being complied with by the company hired to carry out the database migration (the processor). In its decision, the DPA stated that the controller violated Articles 5(1)(f), Article 24(1), Article 25(1), 28(3), Article 32(1) and Article 32(2) GDPR. The DPA decided not to fine the processor, as it had complied with its obligations under the GDPR; here, the DPA stated that the data breach occurred as a result of the actions taken by the controller. The controller appealed the case to the Administrative Court, who upheld the reasoning of the DPA in August 2022. The controller later appealed the case to the Supreme Administrative Court. The controller argued that it had implemented sufficient technical and organisational measures, and that the Administrative Court had not had not fully assessed the factual circumstances of the case and had applied the GDPR erroneously by placing all of the resp
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Krajowa Szkoła Sądownictwa i Prokuratury (National School of Judiciary and Public Prosecutor) in PL
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Krajowa Szkoła Sądownictwa i Prokuratury (National School of Judiciary and Public Prosecutor) - Poland (2025). Retrieved from cookiefines.eu
Last updated: