WSA in Warsaw issued a judgement on the protection of individual data during distant work

As a consequence of the judgement of the Provincial Administrative Court (WSA) in Warsaw, it was concluded that individual data stored in a private computer of a distant individual are protected in accordance with the individual Data Protection Regulation (GDPR). This ruling was the consequence of the decision of the president of the Office for individual Data Protection, who imposed a punishment of reprimand on the Financial Ombudsman in connection with the theft of this employee's laptop.

We recommend: Sale of debt and GDPR

According to the information contained in the Communication, the individual data breach occurred in the context of the theft of a private computer of a erstwhile associate of the Financial Ombudsman. This computer stored individual data that were processed during distant operation. The absence of a hazard analysis by the admin caused that the data were not decently secured and was not further checked whether the worker had effectively deleted the data from the computer after the end of the service.

The Financial Ombudsman appealed against the decision of the president of UODO, arguing that the stolen computer belonged to a erstwhile employee, and there was no evidence that there was individual data on the hard drive. It was besides stressed that the administrative procedure did not establish whether the computer was password-protected. Furthermore, it was noted that the individual who had previously worked for the Financial Ombudsman is simply a legal advisor, which means that he is simply a separate data administrator. However, the value of these arguments was not divided by the Provincial Administrative Court in Warsaw.

This court explicitly stated that the data admin in this case was the Financial Ombudsman, not his employee. Based on the definition of admin contained in the GDPR, which is the individual deciding on the purposes and ways of processing individual data, The General Court considered that the worker is not a separate legal entity and that his actions are the activities of the employer for which he is responsible. Even in the case of actions that undermine the scope of the employment obligations or the position of a erstwhile employee's legal adviser, this does not alter the fact that the employer is liable for these activities.

The Provincial Administrative Court agreed with the president of UODO that the data controller should carry out a hazard analysis related to the distant work of employees, utilizing both private and business computers. The Court considered that the administrator, neglecting the obligations arising from the GDPR concerning hazard analysis and implementation of appropriate method and organisational solutions to guarantee the safety of the data processed, tried to shift work for this to the employee.

"Despite that the worker was obliged to connect through VPN, usage appropriate file encryption programs and usage login passwords known only to him and their cyclical change, the contract between the parties does not consequence in the worker being obliged to encrypt the hard drive" – added.

In consequence to the Ombudsman's allegation that the president of the Office for individual Data Protection (UODO) did not prove in the process that the computer was not decently secured, the Provincial Administrative Court (WSA) indicated that the burden of proof in this situation rests with the administrator, and he should be able to prove that the employee's private laptop was decently protected against possible unauthorised access to individual data stored on it.

The WSA, issuing its ruling, besides stressed that the admin of versław besides failed to check whether the worker had effectively deleted the data from the computer.

Dear reader, we remind you that all legal matters in this substance we compose about can be complicated and frequently require the aid of a lawyer. It's worth discussing it with a lawyer before taking legal action.

Contact us now. We'll review your case and see precisely what we can do about you. Our experts have already helped a number of clients who thought they were already in an impossible situation.

Write us or call us now.

579-636-527
[email protected]