The Central Young Men’s Christian Association (Central YMCA) – €8,775 Fine (United Kingdom, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Central YMCA accidentally revealed the email addresses of 264 people in a mailing list, which included sensitive health information. This breach happened because the organization used the wrong email function, exposing personal details. This incident highlights the importance of protecting sensitive information, especially for organizations handling health data.
What happened
The Central YMCA exposed the email addresses of 264 recipients by using the CC function instead of BCC in an email.
Who was affected
People enrolled in the Positive Health Programme who had their email addresses disclosed.
What the authority found
The Information Commissioner's Office found that the Central YMCA failed to adequately protect personal data, violating GDPR's requirements for security and confidentiality.
Why this matters
This case emphasizes the need for organizations to implement proper email practices to protect sensitive information. It serves as a reminder for all businesses to regularly review their data protection policies and training.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
The Central Young Men’s Christian Association (the controller) offers a Positive Health Programme (Programme), which is an exercise scheme for people living with HIV. As part of the Programme, the Central YMCA collects special categories of data including referrals, dates of HIV diagnosis, medications taken, medical statistics, referring hospitals or clinicians and other medical history. On 6 October 2022, a coordinator of the Programme sent an email to a mailing list of 270 recipients. The recipients were entered into the carbon copy (CC) function rather than the blind carbon copy (BCC) function, revealing the email addresses of all 270 recipients. The controller became aware of the breach the following day upon receiving complaints from affected data subjects. Upon realising the error, the coordinator attempted to unsend the email, but unintentionally sent a second email to all 270 recipients with the email addresses again entered in the CC function. Accounting for duplicates, 264 email addresses were disclosed in the breach, of which 115 had clear names and 51 had partial names that made them potentially identifiable. Thus, 166 data subjects were affected by the breach. The controller reported the breach to the Information Commissioner’s Office (ICO) on 7 October 2022. On 10 October 2022, the controller notified the affected data subjects, took accountability of its error and informed data subjects of the steps it was taking. At the time of the breach, the controller had a verbally communicated policy that the Programme staff should send event invitations using the BCC function. The controller had access to an email marketing tool which would permit for the sending of individual emails to each recipient, but it did not use this tool in sending emails relating to the Programme. The controller waived its opportunity to respond to the ICO’s Notice of Intent and instead accepted the Notice and the ICO’s findings. It took remedial steps, conducting an audit of how
Related Enforcement Actions (0)
No other enforcement actions found for The Central Young Men’s Christian Association (Central YMCA) in UK
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
30 April 2024
Authority
Information Commissioner's Office
Fine Amount
€8,775
7,500 GBP
GDPRhub ID
gdprhub-7864About this data
Cite as: Cookie Fines. The Central Young Men’s Christian Association (Central YMCA) - United Kingdom (2024). Retrieved from cookiefines.eu
Last updated: