Polish SA: administrative fine of EUR 15 556 for University Children’s Clinical Hospital in Białystok for failing to implement appropriate technical and organisational measures

Background information

• Date of final decision: 17 June 2025
• National case
• Legal Reference (s): Article 5 (Principles relating to processing of personal data), Article 24 (Responsibility of the controller),  Article 25 (Data protection by design and by default),  Article 32 (Security of processing)
• Decision: Administrative fine,  Compliance order
• Key words: Administrative fine, Data protection by design and by default, Data security, Lawfulness of processing,  Data subject rights

Summary of the Decision

Origin of the case  

The decision was issued in connection with a security incident which consisted of breaking down the security features of the Hospital’s IT infrastructure and infecting its operating system with malware with ransomware. As a result of the attack, access to the IT systems was blocked, resulting in a breach of the confidentiality and availability of personal data of about 2000 employees, including the possibility of unauthorised access.

Key Findings

During the inspection, the President of Polish Supervisory Authority (SA) found out that a risk analysis was not carried out correctly.

Firstly, the analysis was carried out on the basis of a flawed procedure whereby the risk assessment of possible risks was carried out from the perspective of the Hospital, as an organisation, and not from the perspective of the protection of data subjects.

Secondly, the Hospital did not indicate which processing operations it analysed nor linked those operations to the identified risks, vulnerabilities and the final risk assessment. In order to ensure an adequate level of protection, it is not sufficient to give a very general indication of the potential risks and the likelihood of their occurrence, but it is necessary to link them to the nature, scope, context and purpose of the processing of personal data within the organisation concerned.

Thirdly, the description of the proposed risk management measures is also evidenced by an unreliable risk analysis carried out by the Hospital. The supervisory authority considered that the documents adopted by the Hospital to demonstrate that the risk analysis had been carried out were inconsistent, ambiguous and did not contain specific organisational and technical solutions correlated, as already indicated above, with adequately specific risks.

Decision

The President of the Personal Data Protection Office has imposed on the University Children’s Clinical Hospital in Białystok an administrative fine of EUR 15 556 for infringement of Articles 24(1), 25(1) and 32(1,2) of the GDPR. 

In addition, the President of the Personal Data Protection Office ordered the Hospital to bring the processing operations into line with the provisions of GDPR by: 

• implementing appropriate technical and organisational measures to ensure the security of personal data processed in the information systems and the protection of the rights of data subjects, on the basis of a risk analysis taking into account the state of the art, the cost of implementation, the nature, scope, context, purposes and risks to the rights and freedoms of natural persons, including the risk of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
• implement appropriate technical and organisational measures to ensure that the effectiveness of technical and organisational measures to ensure the security of personal data processed in information systems is regularly tested, measured and evaluated,  within 60 days of the date of notification of this Decision.

For further information: 
•    National press release (Polish): Protection of individuals’ personal data should be the basis for risk analysis   
•    National decision (Polish)