The President of the Polish DPA found the breach of GDPR and imposed an administrative fine in the amount of PLN 100 000 (nearly EUR 22 000) on KSSIP for failing to fulfil its obligations as a controller.
According to the Personal Data Protection Office, the controller did not take the necessary technical and organisational measures, which would allow to ensure the confidentiality of the processing services. KSSIP failed to test and did not carry out the impact assessment of effectiveness of the technical and organisational measures in order to ensure the security of personal data contained in the copy of the database of the training platform of the KSSIP, and thus improperly took into account the risks associated with changes in the processing of personal data.
In addition, it should be pointed out that the controller entrusted the processing of personal data to a processor without contractual binding commitment to process personal data only on documented instructions from the controller.
Let us recall, the KSSIP notified to the UODO a breach of personal data protection, in connection with the notification by the National Police Headquarters of the appearance on the Internet of personal data related to the domain kssip.gov.pl. The notified incident involved unknown persons gaining unauthorized access to a copy of the KSSIP training site database created during a test migration to a new training platform. The breach involved the personal data of more than 50 000 people, users subject to continuous training, whose personal data were collected on the KSSIP training platform. Those persons hold positions, among others, of judges, court assessors, prosecutors and assistant prosecutors, law clerks.
Organizational and technical measures
A controller implements appropriate technical and organizational measures so that the processing of personal data should be carried out in accordance with the GDPR. These measures shall be reviewed and updated as necessary. This means that the controller, when carrying out the assessment of the proportionality of the safeguards, should take into account the factors and circumstances concerning the processing (e.g. type, means of processing) and the risks involved.
On the IT resources of KSSIP there was a copy of the database, the existence and security of which, after performing the migration activities, was in no way verified by the controller, which is its legal obligation resulting from the personal data protection provisions. KSSIP, in regard to the changes in the processing, did not take the sufficient measures in order to verify the security of the processing environment before and after the migration activities.
The entrustment of data processing must be precisely defined
In the situation of entrusting the processing of personal data to an external processor, the subject-matter and duration of the processing, the nature and the purpose of the processing, the type of personal data and the categories of data subjects, as well as the obligations and rights of the controller shall be specified in the personal data entrustment contract.
The content of the entrustment contract in this case insufficiently defined the scope of entrusted data. KSSIP, while entrusting the processing of personal data to the processor, did not include in the personal data processing entrustment contract of the categories of data subjects and did not specify the type of personal data by indicating their categories. In addition, the fined entity did not include in the contract the obligation of the processor to process personal data only on the documented instructions from the controller.
The model of cooperation between the controller and the processor was ineffective. The controller’s lack of understanding of its role in the relationship with the processor led to the personal data protection breach. KSSIP, both before and after the data protection breach was determined, was not fully aware of how the rights and obligations between the controller and the processor were shaped.
The proceedings against the processor discontinued
The processor complied with the obligations under the entrustment contract and the main contract, and applied the organizational measures adopted by it in order to ensure the security of the IT systems. It was the controller that did not undertake an analysis whether, by indicating to the processor a place to make a backup copy of the database, it was exposing the personal data contained therein to the breach of their confidentiality.
In the opinion of the Personal Data Protection Office there are also no legal grounds to accuse the processor of breaching the obligation to support the controller in complying with its duties. As a result, the proceedings in this respect were discontinued.
For more information please contact the Polish DPA at firstname.lastname@example.org