Fine for sports association for failing to respond appropriately to disclosure of personal data
The President of the Personal Data Protection Office imposed a fine of PLN 916.71 on the "Maraton" (Marathon) Sports Association from Gorlice in the Podkarpacie region for failing to respond adequately after a personal data breach occurred. An untrained volunteer had inadvertently disclosed the excessive data of more than one hundred competition participants on a social network.
The "Maraton" Sports Association from Gorlice organised the competition and published a list of participants on Facebook. The competitors gave their consent to the processing of their data. However, the problem was that although the entry itself in the spreadsheet only showed name, surname, gender, club and town, after downloading the file it turned out that there was still hidden information. When the file was edited, the email address and date of birth information was visible. This made the possibility to identify or make contact with these individuals.
The President of the Personal Data Protection Office received a signal from a third party regarding the incident and asked the controller for an explanation. The Association admitted that there had been a mistake. The Association authorities blamed the mistake on a volunteer working at the competition. The President of the Personal Data Protection Office then explained the procedure resulting from the GDPR. In the case of such an incident, the risk to which the data subjects were exposed should be assessed. This analysis should answer the question of whether the incident should be notified to the supervisory authority.
The Association responded that there had been a misunderstanding, explaining that it took extra work to obtain additional information from the posted starting list. The Association is a small organisation and has to rely on the work of volunteers. It has no legal knowledge and the Poviat Starosty refused to assist it in this regard. The Association obtained the consent of the participants in the competition to process their personal data, which it considered to be its key obligation.
However, this was not what the President of the Personal Data Protection Office asked about. His question was not "who is to blame", but how the Association responded to the consequences of an incident where the privacy of specific individuals may have been breached.
The President of the Personal Data Protection Office requested the information on several occasions, but did not receive it. In the end, he initiated an administrative proceedings, as a result of his duties and powers. He asked for an indication of the number of persons whose personal data had been made available on the social network in the form of a list of participants in sports competitions. He did not receive any answer. In view of this, he assumed, on the basis of the evidence gathered in the case, that the breach could have affected around a hundred people and that the Association had not carried out an assessment of the risks to these people resulting from the disclosure of their data. The Association failed to do so because it did not understand the seriousness of the situation and did not notify the incident to the President of the Personal Data Protection Office. As a result, it failed to comply with its obligations.
The President of the Personal Data Protection Office explains that notifying a breach is not a bureaucratic procedure, but an effective tool to improve the security of personal data processing. The history of the competition organised by the "Maraton" Association proves that it had a serious problem with this. The data of more than a hundred people ended up in the hands of an unauthorised person who did not know how to handle it and made it public. As a result, the personal data of many people were breached.
The fact that there was no personal identification number (PESEL number) on the lists of players does not mean that these people cannot be identified. The risk was not high, but it can't be ignored. If the Association had carried out this reasoning, it would have known that it had a legal obligation - as the controller of those data - to notify a personal data breach to the President of the Personal Data Protection Office. The President would have suggested what to do next. This particular situation did not require the necessity to communicate the personal data breach to the data subject, but the data handling procedures at the "Maraton" Association need to be improved.
The full text of the decision of the President of the Personal Data Protection Office can be found at the link below: