Poland: Dismissed appeal in investigation into the President of the District Court of Zgierz over alleged Dara Protection Breach

On 30 September 2024, the Supreme Administrative Court (NSA) dismissed the cassation appeal of the President of the District Court in Zgierz and upheld the decision of the Provincial Administrative Court (WSA) in Warsaw. It confirms the Polish Data Protection Authority's (UODO) decision to impose a financial penalty for inadequate data protection measures. The investigation was started based on a personal data breach involving the loss of an unencrypted pen drive containing the data of 400 individuals under probation supervision. The lower court had agreed with the UODO that the controller (the President of the District Court) failed to implement appropriate organisational and technical measures to protect the confidentiality and integrity of personal data. Instead, the responsibility was improperly shifted onto the employees, who lacked the necessary knowledge and means to secure the data adequately. This failure led to unauthorised access to personal data, violating data protection regulations under the GDPR.