[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fcUOuoXC7FoEj2ycr9Ty9UTPIzC_GV7moixMX1KGLDTE":3},{"article":4,"iocs":41},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":23,"category":24,"article_tags":28},"3a2efac8-d8ab-4074-9b43-048b92810b27","ΔΔΚ - 14\u002F2021","14-2021-62c86b","Wiki maintenance (fixed links) ← Older revision Revision as of 08:13, 29 May 2026 Line 63: Line 63: |Party_Link_6= |Party_Link_6= |Appeal_From_Body=Commissioner for Personal Data Protection |Appeal_From_Body=Commissioner (Cyprus) |Appeal_From_Case_Number_Name= |Appeal_From_Case_Number_Name= |Appeal_From_Status= |Appeal_From_Status=","A Cyprus court upheld the data protection authority's finding that two football clubs and their ticket platform provider failed to implement adequate security measures, leading to a data breach. The breach exposed fans' personal data through a vulnerability in the online platform. However, the court annulled the fines initially imposed, citing proportionality concerns.","Cyprus court upholds GDPR breach finding but annuls fines for football clubs and ticket platform provider.","Help ΔΔΚ - 14\u002F2021: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 07:50, 19 May 2026 view sourceDs (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators61 editsmTag: Visual edit← Older edit Latest revision as of 08:13, 29 May 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators661 editsm Tag: Visual edit Line 63: Line 63: |Party_Link_6=|Party_Link_6= |Appeal_From_Body=Commissioner for Personal Data Protection|Appeal_From_Body=Commissioner (Cyprus) |Appeal_From_Case_Number_Name=|Appeal_From_Case_Number_Name= |Appeal_From_Status=|Appeal_From_Status= Latest revision as of 08:13, 29 May 2026 ΔΔΚ - 14\u002F2021 Court: ΔΔΚ (Cyprus) Jurisdiction: Cyprus Relevant Law: Article 24(1) GDPR Article 25 GDPR Article 28 GDPR Article 32(1) GDPR Article 33 GDPR Decided: 12.05.2026 Published: Parties: APOEL OMONIA HELLENIC TECHNICAL ENTERPRISES LTD Commissioner for Personal Data Protection National Case Number\u002FName: 14\u002F2021 European Case Law Identifier: Appeal from: Commissioner (Cyprus) Appeal to: Original Language(s): Greek Original Source: CYLAW (in Greek) Initial Contributor: n\u002Fa A court upheld the DPA’s finding of a failure to implement adequate security measures concerning two football clubs and their ticket purchase platform provider after a security vulnerability allowed access to fans’ personal data. However, the court annulled the fines, on grounds of proportionality Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts On 26 July 2021, a journalist informed the Cypriot DPA of a security vulnerability on an online platform. This online platform hosted ticket purchase sites of two Cypriot football clubs, OMONIA and APOEL (the controllers). This flaw in the system allowed a user to identify, through a reserved-seat icon, the name and ID number of the fan who had reserved the seat. By using that information, the user could then download the fan card, including the fan’s photograph. The DPA ordered the controllers to submit a personal data breach notification in accordance with Article 33 GDPR. In addition, it asked them to provide information on whether a penetration test had been carried out on the platform and to submit their contracts with the platform provider which acted as the processor of this data. Both controllers submitted the Personal Data Breach Notification Form and the requested documents. The DPA fined each controller €40.000 and the processor €25.000 for the violations of Article 24(1) GDPR, Article 25 GDPR and Article 32(1) GDPR. The controllers and the processor appealed the decision, mainly disputing their responsibility for the required security measures, their respective roles under the GDPR, and the proportionality of the fines. One of the controllers challenged only part of that fine. Holding The court held that, by submitting the breach notification form, the controllers had accepted both that there had been a personal data breach under Article 33 GDPR and that they acted as controllers for the purposes of the GDPR. The court further held that the platform provider acted as a processor under the relevant contracts and was therefore bound by Articles 28 and 32 GDPR. The court upheld the DPA’s finding that the controllers and the processor had infringed the GDPR. It rejected one of the controllers’ arguments that it had no duty to carry out a penetration test before the platform was launched. The court held that Article 24 GDPR, Article 25 GDPR and Article 32 GDPR impose a continuing obligation on controllers and processors to ensure a level of security appropriate to the risk. Since Article 32 GDPR lists security measures only by way of example, their duties were not limited to the measures expressly mentioned in that provision. The court also held that the processor’s prior internal checks did not change the outcome, as the duty to implement appropriate security measures is ongoing. However, the court annulled the administrative fines, insofar as challenged, because their amount had not been determined in accordance with the principle of proportionality. In particular, the court noted that one controller had been fined €40,000 although the infringement affected 3,652 persons, while the other controller received the same fine despite the fact that only up to 100 persons were affected. By contrast, the processor, which was involved in both infringements, received a lower fine of €25,000. The court held that the DPA had failed to respect the principle of proportionality when imposing the fines, given that the underlying facts were essentially the same and that liability under the GDPR is shared between controllers and processors. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details. CYPRUS BAR ASSOCIATION Search - List of Administrative Court Decisions - Show Reports (Noteup on) - Remove Underlining ADMINISTRATIVE COURT (Joint Cases No. 14\u002F2021, 1387\u002F2021 and 1395\u002F2021) May 12, 2026 [MICHAEL, D\u002Fto the D.D.] (Case No. 14\u002F2021) OMONIA FOOTBALL LTD Applicant v. OF THE REPUBLIC OF CYPRUS, THROUGH THE COMMISSIONER FOR THE PROTECTION OF PERSONAL DATA As the Application .......... (Case No. 1387\u002F2021) APOEL FOOTBALL (PUBLIC) LTD Applicant v. OF THE REPUBLIC OF CYPRUS, THROUGH THE COMMISSIONER FOR THE PROTECTION OF PERSONAL DATA Where the Application .......... (Case No. 1395\u002F2021) HELLENIC TECHNICAL ENTERPRISES LTD Applicant v. OF THE REPUBLIC OF CYPRUS, THROUGH THE COMMISSIONER FOR THE PROTECTION OF PERSONAL DATA Where the Application .......... X. Christofi for Christofi & Associates D.E.P.E., for the applicant in Case No. 14\u002F2021. N. Triantafyllidi (Ms) together with trainee lawyer V. Karathanasi (Ms) for Christos M. Triantafyllidi, for the applicant in Case No. 1387\u002F2021. A. Papamichael (Ms) together with trainee lawyers A. Afxentiou and K. Vassiliou (Ms) for A & A K. Emilianidis, K. Katsaros and Associates D.E.P.E., for the applicant in Case No. 1395\u002F2021. Th. Piperi - Christodoulou (Ms) for the Attorney General, for the respondent in the application. DECISION MICHAEL, D.D.D.: All applicants request the annulment of the decision of the defendant dated 6.9.2021 by which it ruled that they acted in violation of the General Data Protection Regulation EU Regulation 2016\u002F679 (hereinafter the \"General Regulation\") and imposed on them an administrative fine of €40,000, €10,000 and €25,000 respectively. It is clarified that the applicant Apoel is challenging part of the administrative fine imposed on her and not the total of €40,000. On 26.7.2021, a journalist informed the defendant of a security flaw in the electronic platform stadium360.net which allowed a user to identify the name and ID number of the fan who reserved the seat in a reserved seat icon and then, using this information, to download the fan card with the photo of the person in question. The said electronic platform hosts the ticket purchase websites of the clubs of the applicants in Cases No. 14\u002F2021 and 1387\u002F2021 and the applicant in Case No. 1395\u002F2021 is the data controller. Since the defendant in the application established the violation after testing, it requested by letters dated 28.7.2021 from the applicants Omonia and Apoel to submit a notification of a personal data breach incident and to send it the processing outsourcing contracts with the applicant Hellenic. The information was submitted, clarifying questions were answered, a preliminary inspection report was submitted and on 6.8.2021 the defendant in the application informed the applicants in writing that it identified a prima facie violation and to submit their positions by 13.8.","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=%CE%94%CE%94%CE%9A_-_14\u002F2021&diff=51760&oldid=51685","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002F4\u002F4c\u002FCourts_logo1.png","2026-05-29T08:13:15+00:00","2026-05-29T10:00:14.868901+00:00",7,[18,21],{"name":19,"type":20},"APOEL","vendor",{"name":22,"type":20},"OMONIA","3f0f8451-91df-4b6c-9a73-ef3b2509b7f1",{"id":23,"icon":25,"name":26,"slug":27},null,"GDPR","gdpr",[29,34,36],{"category":30},{"id":31,"icon":25,"name":32,"slug":33},"2e06f76c-d5b9-4f54-9eef-4d3447b10730","Breaches","breaches",{"category":35},{"id":23,"icon":25,"name":26,"slug":27},{"category":37},{"id":38,"icon":25,"name":39,"slug":40},"d95477d7-eb04-4fad-a2dc-be1428040ce7","Privacy Fines","privacy-fines",[]]