Mermaids – €29,250 Fine (United Kingdom, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Mermaids, a charity for gender non-conforming youth, faced a fine for not securing emails that contained sensitive personal information. Confidential emails were publicly accessible online, exposing details about children and their families. This incident highlights the importance of proper data security measures for organizations handling sensitive information.
What happened
Mermaids failed to secure an email group, allowing confidential emails to be publicly accessible online.
Who was affected
Families and children whose sensitive information was included in the publicly available emails.
What the authority found
The Information Commissioner's Office ruled that Mermaids did not have adequate security measures in place, violating GDPR's integrity and confidentiality principles.
Why this matters
This case underscores the need for charities and organizations to implement strong data protection practices. It serves as a reminder that failing to secure personal data can lead to serious consequences.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Mermaids is a registered charity supporting children, young people and their families in relation to gender non-conformity. In 2016, Mermaids created an internet-based email group service at https://groups.io, overseen by a third party in the USA. This email group was intended to be shared between the CEO of Mermaids and 12 trustees. The default security and privacy settings were left in place, including "Group listed in directory, publicly viewable messages". Mermaids was notified in 2019 by a user of the charity that internal emails, sent using the groups.io email group service, were publicly available online and were searchable through search engines. These contained personal data, including special category data. The service user, who's child is gender non-conforming, was made aware that her child's name, date of birth, mental and physical health were available online, as well as the mother's name, telephone number and address. Overall, 780 pages of confidential emails were available online. This corresponded to 550 data subjects. 15 data subjects had special category data concerning them made available online (mental or physical health; sex life; sexual orientation) and 9 data subject's personal data was considered sensitive in the context. Of these 24 data subjects, 4 were 13 years old or under. Mermaids notified the ICO on the day it was told about this. The Information Commissioner's Office (ICO) considered that Mermaids processed emails on an email group without appropriate restricted access settings. Due to this failure, third parties could gain unauthorised access to emails containing personal data, including special category data. The ICO deemed this in contravention of the principle of integrity and confidentiality (Article 5(1)(f) GDPR). The ICO also considered that Mermaids failed to satisfy its obligations under Articles 32(1) and 32(2) GDPR. It did not have adequate security measures in place to protect the email group affected. As a consequ
Related Enforcement Actions (0)
No other enforcement actions found for Mermaids in UK
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
5 July 2021
Authority
Information Commissioner's Office
Fine Amount
€29,250
25,000 GBP
About this data
Cite as: Cookie Fines. Mermaids - United Kingdom (2021). Retrieved from cookiefines.eu
Last updated: