Poland
Sports association
GDPR enforcement action by Polish National Personal Data Protection Office (UODO) on 2019-04-25.
Case details
- Authority
- Polish National Personal Data Protection Office (UODO)
- Date
- 2019-04-25
- Controller / Processor
- Sports association
- Sector
- Individuals and Private Associations
- Quoted Articles
- Art. 6 GDPR
- Type of violation
- Insufficient legal basis for data processing
Summary
One sports association published personal data referring to judges who were granted judicial licenses online. However, not only their names were provided, but also their exact addresses and PESEL numbers. Meanwhile, there is no legal basis for such a wide range of data on judges to be available on the Internet. By making them public, the administrator posed a potential risk of their unauthorized use, e.g. to impersonate them for the purpose of borrowing or other obligations. Although the association itself noticed its own error, as evidenced by the notification of a personal data protection breach to the President of the PDPA, the fact that attempts to remove it were ineffective determined the imposition of a penalty.
When determining the amount of the fine (PLN 55,750.50), the President of UODO also took into account, among others, the duration of the infringement and the fact that it concerned a large group of persons (585 judges). It concluded that although the infringement was finally removed, it was of a serious nature.However, when imposing a penalty, the President of the Office of Competition and Consumer Protection also took into account mitigating circumstances, such as good cooperation between the controller and the supervisory authority or lack of evidence that damage had been caused to the persons whose data had been disclosed.
Related fines