Poland: GDPR penalty for sports association
A Polish sports association accidentally leaked personal data of 585 referees who received the judicial licences online. This data included not only the names, but also the exact addresses and PESEL numbers these referees . A party with malicious intent could have used the data to commit identity theft. Said party could have impersonated a referee for the purpose of borrowing or other obligations.
The sports association noticed their own error and send a notification about the personal data protection breach to the President of the PDPA. As attempts to remove the data from the website were not effective, the fixing of the breach took too long. This prompted the President of the UODO (Polish National Personal Data Protection Office) to issue a GDPR fine. The fact, that the breach affected a large number of people also prompted a fine. However, while imposing the penalty, the good cooperation between controller and supervising authority was also taken into account. As was the fact, that no damage to affected referees has been disclosed.
Sources: Notice from the Data Protection Authority
Art des Verstoßes:
Illegal data processing
Waren sensible Daten betroffen?:
Violation of GDPR Paragraph:
5. Principles relating to personal data processing