Birthlink – €21,060 Fine (United Kingdom, 2025)

The controller is Birthlink, a company providing after adoption services that maintains the adoption contact register for Scotland. This enables adopted people, birth parents, adoptive relatives and birth relatives to register their details with a view to being ‘linked’ and potentially being reunited. Birthlink maintained manual records stored in filing cabinets containing documents relating to an adopted person’s individual circumstances. In April 2021, records containing sensitive personal data of about 4,800 individuals were destroyed without a clear approval from the board. Some of the files destroyed contained irreplaceable items. In September 2023, following internal investigations, Birthlink notified the Data Protection Authority (Information Commissioner's Office- ICO) about the breach. First, the DPA established that the manual records formed part of a ‘filing system’ as defined by Article 4(6) UK GDPR. Second, the DPA held that Birthlink violated Article 5(1)(f) UK GDPR, the principle of integrity and confidentiality and Article 32(1) and Article 32(2) UK GDPR, security of processing, for failing to ensure appropriate security and organisational measures to the processing of the personal data. In particular, it failed to implement a data retention policy, a data destruction policy, any sufficient internal approval process for the destruction of the files and any data protection training for members of staff. Third, the DPA found that it violated the principle of accountability, pursuant to Article 5(2) UK GDPR. In the absence of appropriate policies, procedures and staff training, Birthlink was not able to demonstrate compliance with its obligations under Article 5(1)(f) UK GDPR. Third, it held that Birthlink breached Article 33 UK GDPR by failing to notify the DPA within 72 hours of the personal data breach. Lastly, the DPA imposed a fine of GBP 18,000 (€20,707). For the calculation of the fine it took into account the irreplaceable nature and