We use cookies to personalise the website and offer you the greatest added value. They are, among other purposes, used to analyse visitor usage in order to improve the website for you. By using this website, you agree to their use. Further information can be found in our data privacy statement.



The Provincial Administrative Court dismissed the appeal of the SGH Warsaw School of Economics

PrintMailRate-it

​​​​​​​​​​​​​​​published on 22 January 2025 | reading time approx. 2 minutes


The Provincial Administrative Court ruled on the case for inadequate protection of personal data in a student exchange recruitment application. The President of the Personal Data Protection Office (PDPO) had imposed a fine of 35,000 zloty on the university.

The irregularities were discovered when a personal data breach occurred during the system migration to a new server in 2022. The incident involved accidental online disclosure of the personal data of 1,461 current and former students and graduates of the SGH. 

The university alleged that the incident had been caused solely by a human error and that the error had occurred despite the due care exercised, including the required personal data protection standards. The President of the PDPO drew different conclusions, as he found that the university had failed to comply with its obligations under the GDPR because it had, among other things, failed to analyse risks, properly select security measures and reliably assess their effectiveness.

The SGH appealed the PDPO’s decision, but the Provincial Administrative Court declared the appeal unfounded.

The court agreed with the position of the supervisory authority. The court recognised that, during the administrative proceedings which preceded the decision, the university had failed to demonstrate that it had indeed implemented technical and organisational measures to ensure the security of the personal data processed in the recruitment system and that it had regularly tested and assessed their effectiveness. 

Therefore, the Provincial Administrative Court saw no grounds on which to quash the appealed decision and at the same time considered the supervisory authority's decision not only justified but also necessary. The court confirmed that the data leak had resulted not from a human error alone, but, above all, from the processing of data in non-compliance with the GDPR. This article is based on the information published on https://uodo.gov.pl/pl​​.

DATA PROTECTION BITES

author

Contact Person Picture

Aneta Siwek

Senior Associate

+48 32 721 23 94

Send inquiry

RÖDL & PARTNER POLAND

Discover more about our offices in Poland. Read more »
Skip Ribbon Commands
Skip to main content
Deutschland Weltweit Search Menu