ΔΔΚ - 14/2021

Summary

A Cypriot court upheld findings that two football clubs (OMONIA and APOEL) and their ticket platform provider violated GDPR Articles 24, 25, and 32 after a security vulnerability exposed fans' personal data including names, IDs, and photographs. However, the court annulled the original fines (€40,000 per controller, €25,000 for processor) on proportionality grounds, noting inconsistent penalty amounts relative to the number of affected individuals (3,652 vs. ~100 persons).

Full text

Help ΔΔΚ - 14/2021: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Revision as of 12:38, 15 May 2026 view sourceDs (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators53 edits Tag: submission [1.0] Latest revision as of 07:50, 19 May 2026 view source Ds (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators53 editsmTag: Visual edit Line 76: Line 76: }}}} A court upheld the DPA’s finding of GDPR infringements against two football clubs and their ticket purchase platform provider after a security vulnerability allowed access to fans’ personal data, but annulled the fines, on proportionality grounds.A court upheld the DPA’s finding of a failure to implement adequate security measures concerning two football clubs and their ticket purchase platform provider after a security vulnerability allowed access to fans’ personal data. However, the court annulled the fines, on grounds of proportionality == English Summary ==== English Summary == Line 83: Line 83: On 26 July 2021, a journalist informed the Cypriot DPA of a security vulnerability on an online platform. This online platform hosted ticket purchase sites of two Cypriot football clubs, OMONIA and APOEL (the controllers). This flaw in the system allowed a user to identify, through a reserved-seat icon, the name and ID number of the fan who had reserved the seat. By using that information, the user could then download the fan card, including the fan’s photograph.On 26 July 2021, a journalist informed the Cypriot DPA of a security vulnerability on an online platform. This online platform hosted ticket purchase sites of two Cypriot football clubs, OMONIA and APOEL (the controllers). This flaw in the system allowed a user to identify, through a reserved-seat icon, the name and ID number of the fan who had reserved the seat. By using that information, the user could then download the fan card, including the fan’s photograph. The DPA ordered the controllers to submit a personal data breach notification in accordance with [[Article 33 GDPR|Article 33 GDPR]]. In addition, it asked them to provide information on whether a penetration test had been carried out on the platform and to submit their contracts with the platform provider which acted as the processor of this data. Both controllers submitted the Personal Data Breach Notification Form and the requested documents.The DPA ordered the controllers to submit a personal data breach notification in accordance with [[Article 33 GDPR]]. In addition, it asked them to provide information on whether a penetration test had been carried out on the platform and to submit their contracts with the platform provider which acted as the processor of this data. Both controllers submitted the Personal Data Breach Notification Form and the requested documents. The DPA fined each controller €40.000 and the processor €25.000 for the violations of [[Article 24 GDPR#1|Article 24(1) GDPR]], [[Article 25 GDPR|Article 25 GDPR]] and [[Article 32 GDPR#1|Article 32(1) GDPR]]. The DPA fined each controller €40.000 and the processor €25.000 for the violations of [[Article 24 GDPR#1|Article 24(1) GDPR]], [[Article 25 GDPR]] and [[Article 32 GDPR#1|Article 32(1) GDPR]]. The controllers and the processor appealed the decision, mainly disputing their responsibility for the required security measures, their respective roles under the GDPR, and the proportionality of the fines. One of the controllers challenged only part of that fine.The controllers and the processor appealed the decision, mainly disputing their responsibility for the required security measures, their respective roles under the GDPR, and the proportionality of the fines. One of the controllers challenged only part of that fine. === Holding ====== Holding === The court held that, by submitting the breach notification form, the controllers had accepted both that there had been a personal data breach under [[Article 33 GDPR|Article 33 GDPR]] and that they acted as controllers for the purposes of the GDPR. The court further held that the platform provider acted as a processor under the relevant contracts and was therefore bound by Articles 28 and 32 GDPR.The court held that, by submitting the breach notification form, the controllers had accepted both that there had been a personal data breach under [[Article 33 GDPR]] and that they acted as controllers for the purposes of the GDPR. The court further held that the platform provider acted as a processor under the relevant contracts and was therefore bound by Articles 28 and 32 GDPR. The court upheld the DPA’s finding that the controllers and the processor had infringed the GDPR. It rejected one of the controllers’ arguments that it had no duty to carry out a penetration test before the platform was launched. The court held that [[Article 24 GDPR|Article 24 GDPR]], [[Article 25 GDPR|Article 25 GDPR]] and [[Article 32 GDPR|Article 32 GDPR]] impose a continuing obligation on controllers and processors to ensure a level of security appropriate to the risk. Since [[Article 32 GDPR|Article 32 GDPR]] lists security measures only by way of example, their duties were not limited to the measures expressly mentioned in that provision. The court also held that the processor’s prior internal checks did not change the outcome, as the duty to implement appropriate security measures is ongoing.The court upheld the DPA’s finding that the controllers and the processor had infringed the GDPR. It rejected one of the controllers’ arguments that it had no duty to carry out a penetration test before the platform was launched. The court held that [[Article 24 GDPR]], [[Article 25 GDPR]] and [[Article 32 GDPR]] impose a continuing obligation on controllers and processors to ensure a level of security appropriate to the risk. Since [[Article 32 GDPR]] lists security measures only by way of example, their duties were not limited to the measures expressly mentioned in that provision. The court also held that the processor’s prior internal checks did not change the outcome, as the duty to implement appropriate security measures is ongoing. However, the court annulled the administrative fines, insofar as challenged, because their amount had not been determined in accordance with the principle of proportionality. In particular, the court noted that one controller had been fined €40,000 although the infringement affected 3,652 persons, while the other controller received the same fine despite the fact that only up to 100 persons were affected. By contrast, the processor, which was involved in both infringements, received a lower fine of €25,000.However, the court annulled the administrative fines, insofar as challenged, because their amount had not been determined in accordance with the principle of proportionality. In particular, the court noted that one controller had been fined €40,000 although the infringement affected 3,652 persons, while the other controller received the same fine despite the fact that only up to 100 persons were affected. By contrast, the processor, which was involved in both infringements, received a lower fine of €25,000. Latest revision as of 07:50, 19 May 2026 ΔΔΚ - 14/2021 Court: ΔΔΚ (Cyprus) Jurisdiction: Cyprus Relevant Law: Article 24(1) GDPR Article 25 GDPR Article 28 GDPR Article 32(1) GDPR Article 33 GDPR Decided: 12.05.2026 Published: Parties: APOEL OMONIA HELLENIC TECHNICAL ENTERPRISES LTD Commissioner for Personal Data Protection National Case Number/Name: 14/2021 European Case Law Identifier: Appeal from: Commissioner for Personal Data Protection Appeal to: Original Language(s): Greek Original Source: CYLAW (in Greek) Initial Contributor: n/a A court upheld the DPA’s finding of a failure to implement adequate security measures concerning two football clubs and their ticket purchase platform provider after a security vulnerability allowed access to fans’ personal

Entities