Szczecin-Centrum District Court: Insufficient technical and organisational measures to ensure information security

The Polish DPA has imposed a fine of EUR 6,400 on the Szczecin-Centrum District Court. The court had reported a data breach to the DPA involving the loss of three data carriers. One data carrier was an official and encrypted one, the other two were private and unencrypted data carriers containing drafts of court rulings and statements with personal data. In the course of its investigation, the DPA discovered that data carriers which had not been checked and secured by the court's IT department had been used on official computers over a period of many years. In addition, the DPA found that although there were regulations prohibiting the use of private data carriers, the court failed to check whether employees actually complied with these regulations. In addition, the court failed to implement technical measures to prevent the use of private data carriers. ---UPDATE--- The Supreme Administrative Court dismissed the appeal by the controller against the judgement made by the Provincial Administrative Court in Warsaw which had upheld the decision of the DPA.

GDPR Articles: Art. 5 (1) f) GDPR, Art. 5 (2) GDPR, Art. 24 (1) GDPR, Art. 25 (1), (2) GDPR, Art. 32 (1), (2) GDPR
Industry: Public Sector and Education