Poland: GDPR penalty for sports association
A Polish sports association accidentally leaked personal data of 585 referees who received the judicial licences online. This data included not only the names, but also the exact addresses and PESEL numbers these referees . A party with malicious intent could have used the data to commit identity theft. Said party could have impersonated a referee for the purpose of borrowing or other obligations.
The sports association noticed their own error and send a notification about the personal data protection breach to the President of the PDPA. As attempts to remove the data from the website were not effective, the fixing of the breach took too long. This prompted the President of the UODO (Polish National Personal Data Protection Office) to issue a GDPR fine. The fact, that the breach affected a large number of people also prompted a fine. However, while imposing the penalty, the good cooperation between controller and supervising authority was also taken into account. As was the fact, that no damage to affected referees has been disclosed.
Type of Issue:
Illegal data processing
Number of involved data records:
Special category of data involved:
Violation of GDPR Paragraph:
5. Principles relating to personal data processing