APOEL – Court Ruling (Cyprus, 2026)

On 26 July 2021, a journalist informed the Cypriot DPA of a security vulnerability on an online platform. This online platform hosted ticket purchase sites of two Cypriot football clubs, OMONIA and APOEL (the controllers). This flaw in the system allowed a user to identify, through a reserved-seat icon, the name and ID number of the fan who had reserved the seat. By using that information, the user could then download the fan card, including the fan’s photograph. The DPA ordered the controllers to submit a personal data breach notification in accordance with Article 33 GDPR. In addition, it asked them to provide information on whether a penetration test had been carried out on the platform and to submit their contracts with the platform provider which acted as the processor of this data. Both controllers submitted the Personal Data Breach Notification Form and the requested documents. The DPA fined each controller €40.000 and the processor €25.000 for the violations of Article 24(1) GDPR, Article 25 GDPR and Article 32(1) GDPR. The controllers and the processor appealed the decision, mainly disputing their responsibility for the required security measures, their respective roles under the GDPR, and the proportionality of the fines. One of the controllers challenged only part of that fine. The court held that, by submitting the breach notification form, the controllers had accepted both that there had been a personal data breach under Article 33 GDPR and that they acted as controllers for the purposes of the GDPR. The court further held that the platform provider acted as a processor under the relevant contracts and was therefore bound by Articles 28 and 32 GDPR. The court upheld the DPA’s finding that the controllers and the processor had infringed the GDPR. It rejected one of the controllers’ arguments that it had no duty to carry out a penetration test before the platform was launched. The court held that Article 24 GDPR, Article 25 GDPR and Article 32 GDPR imp