Personal data carrier must be secured
The President of the District Court did not secure the company data carrier, but only instructed his employees to do it themselves. Instead, it is the controller, and not the user of the carrier, who is responsible for implementing appropriate technical and organisational measures to ensure adequate data security. For lack of such measures the supervisory authority imposed on the President of the Court an administrative fine of PLN 10 000.
The decision to impose the fine is connected with the notification by the President of the District Court in Zgierz of a violation of personal data protection consisting in the loss of an unencrypted portable memory drive by a probation officer. The personal data of 400 individuals subject to probation supervision and covered by community interviews were stored on the carrier. Due to the scope of the personal data disclosed, the indicated breach caused a high risk of infringement of rights or freedoms of natural persons, therefore the controller communicated the personal data breach on the website of the District Court in Zgierz.
The lost and, at the same time, unsecured memory carrier has not been found so far, so the personal data on it may still be accessed by an unauthorised person or persons.
In the course of the proceedings before the Personal Data Protection Office (UODO), the controller in his explanations indicated that he had implemented a personal data protection system in the form of personal data processing rules. The documentation is updated on an ongoing basis and audited by a data protection oficer (DPO) appointed for this purpose. Moreover, the controller assured that it undertook actions in the form of on-site and e-learning trainings for the Court's employees (including probation officers) regarding personal data protection and the implemented documentation rules, stand-by duty performed by the DPO at the controller's premises, on-line stand-by duty and ad hoc inspections conducted by the DPO during stand-by duty.
However, based on the controller’s documents, the obligation to secure the data carriers rests with the users. In the opinion of the UODO, such an approach is inappropriate. The investigation showed that the controller breached, among others, the principle of confidentiality and integrity of personal data by issuing unsecured portable memory carriers to probation officers for their official use and obliging them to implement the security measures for such carrier on their own. The consequence of the failure to implement appropriate organisational and technical measures, in the event that such a carrier is lost by a probation officer, is that unauthorised persons can access the personal data contained therein.
It is worth mentioning that the training of employees in the scope of personal data protection is necessary and needed, however, it cannot be considered as appropriate organisational measures in this particular case and it should not replace measures of technical nature, which were not provided for by the controller. Furthermore, in this case, the controller left the effective securing of the carrier to its user, without indicating any exemplary and adequate safeguards that the employee may apply. It should be borne in mind that employees, as was the case here, may not have knowledge of how to secure personal data carriers. Therefore, the actions applied by the President of the Court cannot be considered as the implementation of appropriate technical or organisational measures.
It should be pointed out that it is the controller, and not the employee or the person performing official tasks, who is obliged to implement appropriate technical and organisational measures so that the processing is carried out in accordance with the requirements of the GDPR.
When setting the amount of the administrative fine, UODO took into account as a mitigating circumstance the good cooperation of the President of the Court with the supervisory authority undertaken and carried out in order to remedy the infringement and mitigate its possible negative effects.
The original press release is available in Polish here.
The full text of the decision is available in Polish here.
For further information, please contact the Polish DPA: firstname.lastname@example.org