Voivodeship Administrative Court: an employee may not replace the controller in its duties

The fact that the controller limits itself to training the employees and omits the application of technical safeguards cannot be regarded as the implementation of appropriate technical or organisational measures. This is what the Voivodeship Administrative Court in Warsaw (WSA) stated, dismissing the complaint filed by the President of the District Court in Zgierz against the decision of the Polish Data Protection Authority.

WSA in its ruling of 15 February 2022, upheld the decision of the supervisory authority, in which an administrative fine of 10 000 PLN was imposed on the President of the District Court in Zgierz in connection with the identified personal data protection breach. The case concerned the loss by
a probation officer of an unencrypted memory carrier (a pen drive). The data of 400 persons subject to probation supervision and covered by community interviews were stored on the medium.

In the justification of the judgment of 15 February 2022*, WSA stated that the supervisory authority correctly established the facts of the case and properly assessed the evidence, thus not supporting the allegations of the applicant challenging the controller’s decision.

In the case in question, it was undisputed that the personal data breach occurred as a result of losing an unencrypted data carrier (a pen drive). The controller issued an unsecured device for official use and obliged the probation officers to secure the data carrier on their own.

The court upheld the supervisory authority's position that an employee may not replace the controller in the performance of its duties. Moreover, the employee may not have adequate knowledge regarding the application of appropriate organisational or technical measures or may implement inappropriate safeguards and inadequate to the scope of personal data processed.

In the opinion of the Polish Data Protection Authority, which was also pointed out by WSA, the controller infringed, among others, the principle of confidentiality and integrity of personal data because it failed to introduce appropriate organisational and technical measures adequate to the means and purposes of data processing, which the President of the Court reached for only after the loss of the data carrier. Consequently, this failure allowed unauthorised persons to access personal data.

In the court's view, the process of determining and implementing safeguards for processed personal data in such a way deprives the controller of access to basic information. This results in the lack of knowledge about what safeguards are in place in the organisation and whether they will be effective against potential threats.

WSA agreed with the Polish Data Protection Authority that the imposed administrative fine will fulfil both repressive and preventive function.

* File Number. II SA/Wa 3309/21