Personal data on an employee's private computer must also be protected

The Voivodeship Administrative Court upheld the decision of the President of the Personal Data Protection Office, which imposed a penalty of reprimand on the Financial Ombudsman for failing to take appropriate technical and organisational measures to ensure the security of personal data processed.

The lack of analysis of the risks associated with employees using private computers while working remotely resulted in the Financial Ombudsman's failure to implement appropriate measures to properly protect processed data, such as, among others, appropriate procedures and safeguards in the event of device theft. Such a situation occurred in the case of the computer of one of the controller's employees, which resulted in a personal data protection breach. The President of the Personal Data Protection Office therefore issued a reprimand to the Financial Ombudsman, which was upheld by the Voivodeship Administrative Court in Warsaw in its judgment of October 5, 2023.

The personal data breach occurred in connection with the theft of a private computer of a former employee of the Financial Ombudsman. The computer stored personal data processed during remote work provided for the data controller. The fact that the controller failed to conduct a risk analysis resulted in the data not being properly secured. Moreover, the controller did not make sure that the employee effectively and permanently deleted the data from the computer after completing the work. The lack of adequate technical and organisational safeguards led the President of the Personal Data Protection Office to impose a penalty of reprimand on the controller.

Complaining against the supervisory authority's decision, the Financial Ombudsman claimed that the stolen computer belonged to a former employee, and that the President of the Personal Data Protection Office had failed to prove that the computer's hard drive actually contained personal data. The complainant also argued that the administrative proceedings failed to establish whether the computer was password protected, and pointed out that the person who had previously worked for the Financial Ombudsman was a legal counsellor, and therefore a separate data controller.

None of the above mentioned arguments were shared by the Voivodeship Administrative Court in Warsaw. The Court had no doubt that the data controller in this case was the Financial Ombudsman, not its employee. In deciding this issue, the Court referred to the definition of the controller in the GDPR, according to which it is the one who decides on the purposes and means of processing personal data. The Voivodeship Administrative Court emphasised that the employee does not act as a separate legal entity, and his actions are those of the employer, for which the employer is responsible. According to the Court, even an action that breaches or goes beyond the scope of the employee's entrusted tasks and duties as an employee or the former employee's legal counsellor status does not change this legal situation.

The Voivodeship Administrative Court in Warsaw agreed with the President of the Personal Data Protection Office that the data controller should conduct a risk analysis in connection with remote work of employees and their use of both private and work computers. Such an analysis would indicate the need for appropriate measures in the event of, among others, the theft of a computer on which personal data is processed. The Court found that the controller, in failing to comply with the obligations of the GDPR in terms of risk analysis, as well as the implementation of appropriate technical and organisational measures to ensure the security of the processed data, tried to shift the responsibility to the employee. Although the employee was obligated to connect via VPN, use appropriate file encryption software and use log-in password known only to him/her and change them periodically, it does not appear from the contract concluded between the parties that the employee was obliged to encrypt the hard drive.

Responding to the complainant’s allegation that the supervisory authority failed to prove in the proceedings that the computer was not adequately protected, the Court pointed out that the burden of proof in this case rests with the controller, and it is the controller who should be able to prove that the employee's private laptop was adequately protected from potential unauthorised access to the personal data that resided on it.

In its ruling, the Voivodeship Administrative Court pointed out as well that the controller also failed to verify whether the employee had successfully deleted the data from the computer. The Court also found that if the solutions adopted by the Financial Ombudsman were effective, the fact that a former employee’s computer was stolen would not have any impact on the security of the processing of personal data.

According to the Court, the President of the Personal Data Protection Office correctly applied the reprimand, taking into account the actions taken by the controller immediately after the data protection breach.