United Kingdom
Mermaids
GDPR enforcement action by Information Commissioner (ICO) on 2021-07-05.
Case details
- Authority
- Information Commissioner (ICO)
- Date
- 2021-07-05
- Controller / Processor
- Mermaids
- Sector
- Individuals and Private Associations
- Quoted Articles
- Art. 5 (1) f) GDPR, Art. 32 (1), (2) GDPR
- Type of violation
- Insufficient technical and organisational measures to ensure information security
Summary
The ICO has fined transgender charity Mermaids EUR 29,000 for failing to protect the personal data of its users, in breach of Art. 5 (1) f) UK GPDR and Art. 32 (1), (2) UK GDPR.
The ICO conducted an investigation after it received a report of a data breach relating to an internal email group.
During the investigation, the ICO found that the group was created with insufficiently secure settings, resulting in approximately 780 pages of confidential emails being viewable online for nearly three years. This resulted in personal information, such as names and email addresses, of 550 people being online.
The ICO concludes that Mermaids should have restricted access to its email group and could have considered pseudonymization or encryption to provide additional protection for the personal data. Organizations responsible for personal data must ensure that they take the appropriate technical and organizational measures to ensure the security of personal data.
Related fines