Poland: Imposed UPDP fine in ivestigation into the President of the District Court of Zgierz over alleged Dara Protection Breach

On 13 July 2021, the Polish Data Protection Authority (UODO) imposed an administrative fine of PLN 10'000 on the President of the District Court in Zgierz due to a significant data breach involving the loss of an unencrypted USB stick containing sensitive personal data of 400 individuals under probation supervision. UODO determined that the President, as the data controller, failed to implement adequate organisational and technical measures to ensure the confidentiality and integrity of this personal data. The responsibility for data security was improperly shifted to the employees, who lacked the necessary knowledge and tools to protect the data effectively, including encryption measures. Despite the President's claims of ongoing training and system checks by the Data Protection Officer (DPO), the UODO found that these measures were insufficient and not regularly evaluated. Consequently, this negligence resulted in unauthorised access to personal data, violating multiple provisions of the GDPR, including Article 5.