Poland: UODO fines Medical University of Silesia PLN 25,000 for data breach notification failures
The Polish data protection authority ('UODO') announced, on 18 January 2021, its decision to fine the Medical University of Silesia PLN 25,000 (approx. €5,520) for failing to notify the UODO and the affected data subjects of a data breach relating to examinations conducted in the form of videoconferences on a special e-learning platform, at the end of May 2020. In particular, the decision notes due to an employee's failure to close access to the virtual room where the exam took place, the recordings of students were available not only to the examiners, but also to other people who had access to the system, and any third party could, by using a direct link, have access to the exam recordings and the data of the examined students presented during identification. Furthermore, the decision notes personal data disclosed included images, PESEL number, identity document number, name and surname, address, year of study, group, field of study, information about the subject taken, or the answers given during the exam. In addition, the decision notes that when asked to clarify the situation, the university argued that there was no need to notify the UODO of this violation, but took some steps to rectify the issue, such as notifying the people who downloaded the exam files of the responsibility of use of personal data. Lastly, the UODO ordered the university to notify the persons affected by the data breach.
UPDATE (27 January 2021)
EDPB publishes UODO's decision in English
The European Data Protection Board ('EDPB') published, on 26 January 2021, the UODO's decision in English.
You can read the press release here.