Reprimand to Lazarski University for violating GDPR regulations on Data Protection Officer

The university was late in implementing regulations to ensure compliance with the requirements of GDPR regarding the rules of cooperation between the controller and the Data Protection Officer. For this reason, the President of the Personal Data Protection Office, Mirosław Wróblewski, issued a reprimand to the university.

The university's rules of cooperation with the Data Protection Officer (DPO) were recognised by the President of the Data Protection Office in the proceedings, asking the university about the facts and analysing its answers. He found that it was only when the university introduced new internal regulations on 3 April and 9 October 2023 regarding the performance of the Data Protection Officer's tasks that the irregularities were rectified.

1. Previously, the university did not ensure that the Data Protection Officer was properly and promptly involved in all data protection matters, as it did not implement any concrete solutions in this regard, such as in the data protection policy or other internal regulations.

2. There were also no solutions to provide the Data Protection Officer with resources to maintain his expertise.

3. The university also did not implement solutions to ensure that the Data Protection Officer would not receive instructions in connection with the performance of his tasks until 9 October 2023.

4. Until 3 April 2023, the university did not implement solutions to ensure that other tasks and duties performed by the Data Protection Officer do not create a conflict of interest. Only the amendment of the provisions of the data protection policy and the subsequent implementation of the provisions of the supplementary regulations have positively changed this state of affairs.

5. The university did not, prior to 9 October 2023, implement organisational or other solutions to ensure control over the proper performance of all tasks by the Data Protection Officer, such as regulations on the Data Protection Officer’s work plan (including the audit plan) or another solution on the basis of which such control could be implemented. This issue was only addressed in the aforementioned regulations.

This means that Lazarski University, as a data controller, failed to comply with the requirements indicated in the provisions of the GDPR (in Article 38(1), (2), (3) and (6) and Article 39(1)), and for this reason received a reprimand from the President of the Personal Data Protection Office.