The President of UODO imposed another fine
Ineffectual attempts to remedy a breach consisting in making public too broad of a scope of personal data are the main reason behind imposing a fine on the controller by the President of the UODO.
The Lower Silesian Football Association has made public personal data concerning referees, who were granted referee licenses. Not only their names and surnames were disclosed, but also addresses of residence and personal identification (PESEL) numbers. There are however no legal bases for such a broad scope of referees’ data being available on the Internet. By publishing this data the controller was creating risk of their misuse, e.g. for the purpose of impersonating these individuals in order to raise a loan or to create other obligations.
The Association itself admitted their fault, the proof of which is that a data breach notification was made to the President of the UODO, but the fact that the attempts to remedy the breach were unsuccessful has been decisive in imposing the fine.
In determining of the amount of the fine (PLN 55,750.50) the President of the UODO took into consideration inter alia the duration of the breach and the fact that it pertained to a large number of individuals (585 referees). He concluded that even though the breach was ultimately remedied, its nature was considered serious.
Nevertheless, determining the amount of the fine the President of the UODO considered also the mitigating factors which were i.e. good cooperation of the controller with the supervisory authority and the lack of evidence towards any damages on the side of the individuals whose data was disclosed.
More details on this case are to be found in the decision of the President of the UODO (available in Polish only): https://uodo.gov.pl/decyzje/ZSPR.440.43.2019