The controller should regularly test, quantify and evaluate the effectiveness of measures
The lost laptop with data. Technical and organisational measures were insufficient.
The President of the Personal Data Protection Office has imposed a fine of PLN 24,555 on the Stołeczna Chorągiew ZHP for failure to implement technical and organisational measures corresponding to the risks for data processed on laptops.
Chorągiew was ordered to implement appropriate data protection measures within three months from the date of the decision.
A data protection breach resulting in a fine from the President of the Polish SA occurred when a ZHP instructor left a backpack with a laptop belonging to the Chorągiew on the underground. There was personal data such as: surnames and names, parents' names, date of birth, bank account number, address of residence or stay, identification number PESEL, e-mail address, data on salary and/or assets owned, ID card series and number, telephone number, health data and other data (association membership, service assignment).
Chorągiew notified the Police and the President of the Personal Data Protection Office of the incident, who, after analysing the breach, initiated administrative proceeding. The police did not deal with the case because there was no theft, but the backpack was lost.
Chorągiew conducted a risk analysis for personal data. However, it did not include the risk of inadequately transporting data carriers. Such a risk was only included in the analysis after the loss of a laptop. At that time, it also became apparent that measures ‘regarding the encryption of drives on company computers taken outside the Controller's buildings (...)’ needed to be reviewed.
Thus, as noted by the President of the Polish SA, the risk analysis and the measures implemented on its basis were insufficient. The Polish SA pointed out that the role of the controller is not limited to the one-off development and implementation of organisational and technical measures to ensure the processing of personal data in compliance with the principles expressed in the GDPR. Losing a laptop is a chance event. And in such a situation, however it is crucial whether the controller has regularly tested, quantied and evaluated the effectiveness of the technical and organisational measures to ensure the security of the processing of personal data.