Your Personal Data Controller, Szkoła Główna Gospodarstwa Wiejskiego w Warszawie
[SGGW, the Warsaw University of Life Sciences] with its registered office in Warsaw at
ul. Nowoursynowska 166, acting pursuant to Article 34.1 and 34.2 of the Regulation
(EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data and on the
free movement of such data, and repealing Directive 95/46/EC ( hereinafter: RGDR)
hereby informs of a possible breach of your personal data security in connection with
the incident which occurred on 5 November 2019 in Warsaw.

On 5 November 2019, a laptop computer used by one of the employees of the Warsaw University of

Life Sciences was stolen. The personal data of candidates for the students of the Warsaw University of
Life Sciences processed during the admission procedures in recent years were saved on the computer
disc. The Personal Data Controller cannot exclude the possibility that, as a result of this incident,
unknown persons gained access to your personal data resulting in a personal data breach. The
computer’s disk contained personal data of the candidates, including but not limited to: identification
details – first name, middle name, surname, name at birth, parents’ names, personal identification
number, gender, nationality, citizenship, residence address, series and number of your card/passport,
series and number of your identity card, completed secondary school, location of your secondary
school, mobile and landline phone numbers, year of graduating from the secondary school, number
and date of the secondary school leaving certificate, certificate issuing authority, baccalaureate
[matura] year and date of your baccalaureate certificate, results of baccalaureate examination,
completed higher education programmes, university from which you graduated, completed field of
study, grade on your diploma, GPA, field of study for which the candidate is applying, secondary school
details, information on admission, candidate’s qualification points, compatibility of field of study
completed with that for which the candidate is applying.
Performing our obligation under Article 34 of the GDPR, the Warsaw University of Life Sciences
(SGGW) informs that there is a risk of unauthorized access to the above-mentioned personal data and
learning their content. Possible consequences of a possible breach of personal data security is
unauthorized use of personal data, for example:
 by third parties in order to obtain, to the detriment of the data subject concerned, loans from nonbank institutions, since many such institutions make it possible to obtain a loan or credit in an easy
and quick way, e.g. online or by telephone without the need to show one’s identity document;
 in order to obtain access to healthcare services available to the data subject concerned and gain
access to the information about the data subject’s health because often access to patient
registration systems can be obtained by phone confirming one’s identity with one’s personal
identification PESEL number;
 exercise the civil rights of the data subject concerned, including for example the right to vote on the
participatory budget, and thus preventing the actual data subject from exercising his or her rights;
 obtain insurance or insurance funds by deception which may result in negative consequences for
the data subject, such as problems if they are perceived as guilty of such an offence.
In order to prevent negative effects of the breach, we recommend that the persons whose personal
data security may have been compromised should take steps to minimise the risk of negative
consequences and unauthorized use of their data, for example by:
setting up an account in the credit and business information system in order to monitor credit activity
(systems, institutions and enterprises that offer credit activity monitoring are available on the market.
Here are some examples: Biuro Informacji Kredytowej S.A. at https://www.bik.pl, Biuro Informacji
Gospodarczej InfoMonitor S.A. https://big.pl, Krajowy Rejestr Długów Biuro Informacji Gospodarczej
S.A. https://krd.pl, CHRONPESEL service website https://www.chronpesel.pl ).
If you spot any irregularities, you should report this fact to the law enforcement bodies.
You should be cautious when providing personal details to others, especially via the Internet or
telephone;
You should report voluntarily the personal data breach to competent authorities in order to prevent
the so-called “Identity theft”.
The purpose of such steps is to protect your personal data against misuse.
I wish to assure you that, in order to remedy the breach of personal data security and minimise any
negative effects of this breach, the Personal Data Controller has taken immediate and adequate
organizational, administrative and legal measures, including informing its employees again that the
processing of personal data controlled or processed by SGGW may take place only on the media
provided officially by the University which ensure adequate protection of confidentiality and security
of personal data in accordance with the internal procedures applicable at SGGW.
The Personal Data Controller also provided again training on personal data protection regulations to
the management personnel and continues the relevant periodical training programme addressed to
the University employees. The incident has also been reported by the Personal Data Controller to the
Office for Personal Data Protection and to the law enforcement authorities. In addition, the employee
of the Warsaw University of Life Sciences who was the user of the stolen computer reported the
suspected criminal offence, i.e. , stealing of a laptop containing the personal data of University
candidates, by unknown offenders to the Police Station KP Warszawa Ursynów.
The Personal Data Controller, in order to ensure adequate protection of personal data and in order to
prevent similar data breaches, is planning to introduce changes in the IT solutions applied in order to
provide enhanced protection of personal data. In particular, the Controller is planning to take adequate
measures to limit the possibility of saving data on external media.
The Personal Data Controller wishes to ensure that the necessary actions have been taken in order to
eliminate the possibility of a similar incident in the future.
Should you have further questions or doubts, please contact the Personal Data Protection Officer: Mr
Michał Komarnicki, Szkoła Główna Gospodarstwa Wiejskiego w Warszawie, ul. Nowoursynowska 166,
02-787 Warszawa, e-mail: iod@sggw.pl