The Central Young Men’s Christian Association (Central YMCA) – €8,775 Fine (United Kingdom, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Central Young Men’s Christian Association (the controller) offers a Positive Health Programme (Programme), which is an exercise scheme for people living with HIV. As part of the Programme, the Central YMCA collects special categories of data including referrals, dates of HIV diagnosis, medications taken, medical statistics, referring hospitals or clinicians and other medical history. On 6 October 2022, a coordinator of the Programme sent an email to a mailing list of 270 recipients. The recipients were entered into the carbon copy (CC) function rather than the blind carbon copy (BCC) function, revealing the email addresses of all 270 recipients. The controller became aware of the breach the following day upon receiving complaints from affected data subjects. Upon realising the error, the coordinator attempted to unsend the email, but unintentionally sent a second email to all 270 recipients with the email addresses again entered in the CC function. Accounting for duplicates, 264 email addresses were disclosed in the breach, of which 115 had clear names and 51 had partial names that made them potentially identifiable. Thus, 166 data subjects were affected by the breach. The controller reported the breach to the Information Commissioner’s Office (ICO) on 7 October 2022. On 10 October 2022, the controller notified the affected data subjects, took accountability of its error and informed data subjects of the steps it was taking. At the time of the breach, the controller had a verbally communicated policy that the Programme staff should send event invitations using the BCC function. The controller had access to an email marketing tool which would permit for the sending of individual emails to each recipient, but it did not use this tool in sending emails relating to the Programme. The controller waived its opportunity to respond to the ICO’s Notice of Intent and instead accepted the Notice and the ICO’s findings. It took remedial steps, conducting an audit of how
GDPR Articles Cited
National Law Articles
The Central Young Men’s Christian Association (the controller) offers a Positive Health Programme (Programme), which is an exercise scheme for people living with HIV. As part of the Programme, the Central YMCA collects special categories of data including referrals, dates of HIV diagnosis, medications taken, medical statistics, referring hospitals or clinicians and other medical history. On 6 October 2022, a coordinator of the Programme sent an email to a mailing list of 270 recipients. The recipients were entered into the carbon copy (CC) function rather than the blind carbon copy (BCC) function, revealing the email addresses of all 270 recipients. The controller became aware of the breach the following day upon receiving complaints from affected data subjects. Upon realising the error, the coordinator attempted to unsend the email, but unintentionally sent a second email to all 270 recipients with the email addresses again entered in the CC function. Accounting for duplicates, 264 email addresses were disclosed in the breach, of which 115 had clear names and 51 had partial names that made them potentially identifiable. Thus, 166 data subjects were affected by the breach. The controller reported the breach to the Information Commissioner’s Office (ICO) on 7 October 2022. On 10 October 2022, the controller notified the affected data subjects, took accountability of its error and informed data subjects of the steps it was taking. At the time of the breach, the controller had a verbally communicated policy that the Programme staff should send event invitations using the BCC function. The controller had access to an email marketing tool which would permit for the sending of individual emails to each recipient, but it did not use this tool in sending emails relating to the Programme. The controller waived its opportunity to respond to the ICO’s Notice of Intent and instead accepted the Notice and the ICO’s findings. It took remedial steps, conducting an audit of how
Related Enforcement Actions (0)
No other enforcement actions found for The Central Young Men’s Christian Association (Central YMCA) in UK
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
30 April 2024
Authority
Information Commissioner's Office
Fine Amount
€8,775
7,500 GBP
GDPRhub ID
gdprhub-7864About this data
Cite as: Cookie Fines. The Central Young Men’s Christian Association (Central YMCA) - United Kingdom (2024). Retrieved from cookiefines.eu
Last updated: