The Provincial Administrative Court dismissed the appeal of the SGH Warsaw School of Economics

The irregularities were discovered when a personal data breach occurred during the system migration to a new server in 2022. The incident involved accidental online disclosure of the personal data of 1,461 current and former students and graduates of the SGH. 

The university alleged that the incident had been caused solely by a human error and that the error had occurred despite the due care exercised, including the required personal data protection standards. The President of the PDPO drew different conclusions, as he found that the university had failed to comply with its obligations under the GDPR because it had, among other things, failed to analyse risks, properly select security measures and reliably assess their effectiveness.

The SGH appealed the PDPO’s decision, but the Provincial Administrative Court declared the appeal unfounded.

The court agreed with the position of the supervisory authority. The court recognised that, during the administrative proceedings which preceded the decision, the university had failed to demonstrate that it had indeed implemented technical and organisational measures to ensure the security of the personal data processed in the recruitment system and that it had regularly tested and assessed their effectiveness. 

Therefore, the Provincial Administrative Court saw no grounds on which to quash the appealed decision and at the same time considered the supervisory authority's decision not only justified but also necessary. The court confirmed that the data leak had resulted not from a human error alone, but, above all, from the processing of data in non-compliance with the GDPR. This article is based on the information published on https://uodo.gov.pl/pl​​.