Śląski Uniwersytet Medyczny (Medical University of Silesia): Insufficient fulfilment of data breach notification obligations

The Polish DPA (UODO) imposed a fine of PLN 25,000 (EUR 5,500) on the Medical University of Silesia. In the course of exams held in the form of videoconferences at the end of May 2020, identification of students took place. Once the exam was completed, the recordings of the exams were available not only to the examinees, but also to other people with access to the system. In addition, any outsider could access the records of the examinations and the data of the examined students presented during identification via a direct link. The University failed to report the data breach to the DPA and notify the data subjects.

GDPR Articles: Art. 33 (1) GDPR, Art. 34 (1) GDPR
Industry: Public Sector and Education