Data regulator issues penalty under GDPR

A data breach at a top Polish university has highlighted the pitfalls of using personal devices to process sensitive information.

The Warsaw University of Life Sciences (SGGW) was found to have exposed the personal data of students and prospective degree candidates back in November 2019.

This week, the president of the Polish National Personal Data Protection Office (UODO) fined the institution PLN 50,000 ($13,000) for a breach of GDPR rules.

Up to 100 students may have had their information exposed after data was stored on an employee’s personal device, which was later stolen.

The university was not aware that the employee was processing students’ personal data on a non-work device, a statement from the UODO reads.

Read more of the latest GDPR and data breach news

The supervisory body said these circumstances “indicate a breach of the principle of confidentiality and accountability specified in the GDPR”.

Further to this, the university had stored the data of prospective students for five years, which the UODO said breaches the principle of storage limitation in the GDPR.

Security pitfalls

The regulator said the fine imposed also took into account the failure of the university to implement “appropriate organizational and technical measures”.

The statement reads: “The supervisory authority took into account that the personal data breach concerned candidates for studies at SGGW for the last five years, covered a wide range of data, and that the number of persons affected could be up to 100 (upper limit).

“It was also important for establishing the amount of the fine that the controller had no knowledge of the processing of personal data on the employee’s private computer, nor did it control the processing of data by failing to verify on which media the personal data of candidates for studies collected from the IT system were processed and by failing to record this operation in the IT system.”

It was also “established that the university had not implemented appropriate organizational and technical measures to ensure” that personal data was processed securely.

The advisory noted that the institution cooperated with the UODO and has taken meaningful steps to process data more securely.

RELATED Europe falling behind the US and China on cybersecurity funding, expertise

A spokesperson for SGGW told The Daily Swig: “After the theft of the computer containing students’ data, we have immediately begun works that will prevent issue like that from happening in the future.

“Currently there is no possibility for members of [the] admissions commission to copy the students’ data.

“Additionally, works related to admissions and data analysis are conducted entirely on secured computers placed in one room. Furthermore, we have introduced proper technological protection.

“Currently candidates’ and students’ data are safe and protected and are not stored after the admissions are over.”

Post-GDPR landscape

Several Polish companies and government agencies have been fined by the data regulator for breaching the GDPR since its introduction in May 2018.

Notable breaches include:

  • April 2019 – An unnamed sports association was fined PLN 58,000 ($15,000) for publishing information referring to judges who were granted judicial licenses online.
  • September 2019 –, an online shopping website, was fined PLN 2.8 million ($742,000) for a data breach impacting 2.2 million people.
  • August 2020 – The Surveyor General of Poland, the agency responsible for land and mortgage registries, was fined PLN 101,000 ($26,700) for processing personal data without legal basis.

READ MORE Universities open for business to cybercriminals