Polish DPA fined university

Polish DPA fined university for failing to issue a data breach notification

The Polish DPA has fined a university for neglecting to notify the authority as well as affected persons after a data breach.

In June of 2020, the Polish DPA was notified of a data breach at a medical university. According to the complaint received, during the university’s examinations held towards the end of May 2020, students were identified via videoconference. Following the examinations, these recordings were available not only to the students being examined, but also to others who had access to the system. In addition, any third party could have access to the examination recordings, and by extension, the examined students’ personal data presented during the identification process, by using a direct link. 


While information in the complaint indicated a high risk to the rights and freedoms of those persons affected, the data controller disagreed.


The information contained in the complaint indicated that the incident may have presented a high risk to the rights and freedoms of those persons who took the examination. UODO wrote to the university for further clarification, however, the data controller replied in writing, arguing that the incident presented a very low risk to the rights and freedoms of the affected persons and therefore it was not necessary to notify the authority in connection with this data breach. The university also indicated that the system was modified after the incident, to ensure that the recorded examinations were not mistakenly shared. In addition, the controller indicated that it had identified the persons who downloaded the examination file and informed them of their responsibility in having access to this data. 


While the Polish DPA acknowledged the efforts made by the controller to secure the data moving forward, the authority maintains that notifications were necessary. 


The UODO has taken the stance that the university, as the data controller in this situation is responsible for the data, and not the individuals who downloaded the files, and that due to this controller’s negligence, this breach occurred, posing a high threat to the rights and freedoms of the affected students. While the authority acknowledged that the modifications to the e-learning platform being used for the examinations will serve to protect students’ data, by preventing these files from being downloaded, the UODO believes that notification still should have been made to the authority as well as the students affected. 


The UODO believes that the controller has inaccurately assessed the risk associated with this data breach, and as a result failed to meet its obligations.


The Polish DPA found that after the data breach had occurred, the controller failed to meet its obligations to notify both the supervisory authority and the persons affected by the breach. These notifications become necessary when, due to the breach, there is a high risk to the rights or freedoms of the persons affected. The authority believes that the  controller had incorrectly assessed the risk involved. In its decision, UODO has also indicated that it does not matter, as the controller claims, that the file with the course of the examination was downloaded only by a limited number of persons, as there really is no assurance that it will not eventually be made available further to unauthorized persons.


The Polish DPA fined the University over EUR 5 850 for neglecting their obligation for notification over several months.


The University has incurred a fine of almost 6,000 Euros. The President of the Office took into account, not only neglecting to notify the DPA and the affected students, but also the duration of the breach (from the breach to the issuing of the decision several months passed), the deliberate inaction of the controller after being informed that notifications were necessary, and the lack of cooperation on the part of the controller with the authority, despite the letters sent and the proceedings initiated. The imposition of this should also serve as a preventive function, as it shows that one cannot neglect their obligations as controllers in connection with a personal data protection breach.


Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.


Healthcare Committee Data Breach

Healthcare Committee Data Breach in Örebro County, Sweden.

Healthcare Committee Data Breach in Örebro County, Sweden after sensitive personal data of a patient was published on the region’s website.


A healthcare committee data breach was uncovered after complaints were filed with the Swedish Data Protection Authority (DPA), concerning the publication of a patient’s personal data on the region’s website. According to an article by the European Data Protection Board, the complaints were concerning a patient admitted to forensic psychiatry whose personal details were found, through an audit, to have been published on the region’s website. The Swedish DPA found that the region’s website published sensitive data wrongfully, with neither legitimate purpose nor legal basis, nor eligibility for exemption from the proscription of handling sensitive personal data under the General Data Protection Regulation (GDPR). As a result, the DPA has fined the Committee and ordered some changes to ensure compliance moving forward.


Swedish DPA audit uncovers lack of written instructions for publishing, increasing risk of a data breach.


The Swedish DPA performed an audit after receiving a complaint about the data breach in question and discovered that there were no written instructions in place for the publication of information on the Committee’s website. The Committee had depended solely on oral communication for passing on instructions for publication. The publication of this patient’s personal data was the result of those instructions not being followed. While it was accidental, the publication of that personal data was the result of insufficient organisational measures to ensure protection of personal data.


Healthcare Committee Data Breach results in a fine of 120,000 Swedish kronor and an order for corrective action. 


The Swedish DPA has ordered the Committee to establish written instructions and to institute measures to ensure compliance with those instructions for those who are tasked with publishing data on their website. In addition to ordering the Committee to bring its handling of personal data into full compliance under the GDPR, the DPA has also ordered the payment of a 120,000 Swedish kronor administrative fine (approximately 11,000 Euro). The published document resulting in the data breach has since been removed from the region’s website. 


What should have the Healthcare Committee done in order to avoid the breach?


-Have in place an adequate internal data protection policy providing written and clear instructions about how to process and secure the personal data held by the Committee. 

Pursuant to Article 24 GDPR “(1) Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary; (2) Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller”.

-Deliver relevant training to the employees. When it comes to reducing the risk of data breaches, it is paramount to train the staff so that they understand the new processes you have put in place and also the data protection rules behind them.

Why are the measures above especially important in this case?

The data compromised involves health information, which is a special category of personal data, therefore additional safeguards should apply, plus the bases for processing it are limited to some specific scenarios. However, it should be noted that the breach would have taken place even if the personal data published in their website was not sensitive, because there was no legitimate basis to make the information public.

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

data protection officer GDPR data breach notification

GDPR Data Breach Notification WP29 Guidelines

GDPR data breach notification obligation requires the adoption of appropriate technical and organisational measures in order to ensure the safeguarding of personal data during processing. Since the assessment of the risk degree is not always unequivocal, the Article 29 Data Protection Working Party (WP29) has recently adopted GDPR data breach Guidelines.

data protection officer GDPR data breach notification

When unauthorised or unlawful processing and accidental loss, destruction or damage of personal data occurs, personal data controllers may be under an obligation to notify the supervisory authority and data subjects after an appropriate risk assessment. GDPR data breach Guidelines assist the controllers and the processors to comply with their obligations under Articles 33 and 34 of the GDPR on a potential security breach of personal data.

Data processor’s obligation

Although the responsibility of the personal data protection belongs to the controller, the data processor must ensure the compliance of the former with the notification requirements. Hence, if a processor becomes aware of a breach of personal data that it has been processing on the controller’s behalf, it is bound to notify the controller ‘without undue delay’.

Notification of the personal data breach to supervisory authority

In the event of a security breach likely to result in a risk to the rights and freedoms of individuals, the data controller is obliged to notify the leading supervisory authority in order to receive guidance.

The time frame for notification is no later than 72 hours from the time the controller obtained a reasonable degree of certainty that a breach compromising personal data has taken place. If the controller does not possess all relevant information, it may proceed with notification in phases parallel to its investigation.

Nonetheless, when the breach is unlikely to result in risks to the rights and freedoms of natural persons, the controller is not under an obligation to notify. For instance, if an encrypted CD containing a back up of an archive with personal data is stolen, the notification requirement is unlikely to apply.

Communication of the personal data breach to data subjects

The assessment of risk is decisive for the requirement of communication to the data subjects. If the breach is likely to lead to high risk to the rights and freedoms of individuals, such as discrimination, financial damage, identity theft, fraud and humiliation, the notification of the relevant individuals must be triggered. The severity of the potential impact should be estimated on a case by case basis taking into consideration the type of breach, the nature, sensitivity and volume of personal data, the ease of identification of individuals and the special characteristics of the individual and the data controller.

The communication should be characterised by clarity and transparency through dedicated messages best circulated via several contact channels e.g. email, advertisement in printed media, communication by post, or prominent website banners.

Failure to notify data subject or supervisory authority

If controllers do not comply with their obligations to notify either the supervisory authority or data subjects or both of a data breach, corrective measures including appropriate administrative fines may apply. The supervisory authority is entitled to impose administrative fine up to 10,000,000 EUR or up to 2 % of the total worldwide annual turnover of an undertaking pursuant to Article 83(4)(a) of the GDPR.

Suggested response plan

What to do next? With the help of your Data Protection Officer, a response plan comprising the following areas should be prepared:

  • A person or group of persons should be responsible for receiving all information about security incidents in order to later establish potential breach and assess the risk.
  • Risk assessment regarding the rights and freedoms of individuals should take place and according to the findings of likelihood of no risk, risk or high risk, it should be communicated to the appropriate sections of the organisation.
  • If the likelihood of risk is established, the controller must notify the supervisory authority and, if the risk is high, communicate the breach to the individuals involved.
  • Simultaneously, the controller should take the relevant measures to restrict and recover the breach.

Do you require assistance preparing for GDPR and manage your data protection obligations after it becomes applicable? Aphaia provides both GDPR adaptation consultancy services and Data Protection Officer outsourcing.