Privacy Blog

POLISH DPA IMPOSES FINE ON THE MEDICAL UNIVERSITY OF SILESIA FOR THE LACK OF DATA BREACH NOTIFICATIONS

27.01.2021

Polish Data Protection Authority (“DPA”) imposed a fine of PLN 25 000 (over EUR 5 850) on the Medical University of Silesia due to the lack of data breach notification to the DPA and the persons affected by the incident.

In the present situation, the Medical University of Silesia recorded the students during the examinations held at the end of May 2020 in the form of a video conference. After the end of the examination, the recordings were available not only to the examined people but also to others who had access to the system. Moreover, by using a direct link, any third party could have access to the examination recordings, and the examined students' personal data presented during identification.

After the complaint about the subject, the Polish DPA asked the University to clarify the situation. In reply to the letter, the University argued that it was not necessary to notify the Polish DPA in connection with the breach, since the system was modified so that files with the recorded course of examinations were not shared by mistake. The University also indicated that it had identified the persons who downloaded the examination file and notified them of responsibility for using these data.

However, the University did not notify a data breach and did not notify the persons affected by this incident even though it was indicated by Polish DPA. Therefore, the Polish DPA found that the data breach had occurred, and that the University had failed to comply with its obligations to notify about this fact both the supervisory authority and the persons affected by the breach. The Polish DPA also indicated that it does not matter, as the controller claims, that the file with the course of the examination was downloaded only by 26 persons. Since there is no certainty that it will not be made available further to unauthorized persons.

You can read the EDPB’s statement about the subject here.

Should you have any queries and/or remarks, please do not hesitate to contact us. 

Kind regards,

Zumbul Attorneys-at-Law

info@zumbul.av.tr