Sportadmin i Skandinavien AB – €528,000 Fine (Sweden, 2026)

Sportadmin i Skandinavien AB (the processor) operated a digital administration platform on behalf of sports clubs and associations (the controllers). The platform processed the personal data of over 2.1 million individuals, primarily children and young people. In January 2025, the processor experienced a cyberattack that enabled the attacker to access and extract a large volume of personal data. The stolen data included names, contact details, social security numbers, association affiliation, and sensitive health data. The data were later published on the Darknet, exposing the affected data subjects to significant privacy risks. The processor reported the breach to the Swedish DPA (IMY), the day after the cyberattack occurred. Then IMY initiated an investigation to assess whether the processor had implemented appropriate technical and organizational security measures under Article 32 GDPR. IMY held that the processor violated Article 32 GDPR by failing to implement appropriate technical and organizational measures to protect personal data. IMY found that processor’s security measures were insufficient and disproportionate to the risks associated with the processing and concluded that the processor was aware of vulnerabilities and elevated risks in its systems prior to the attack, yet failed to take adequate corrective action. The processor lacked proper risk analysis, security monitoring, intrusion detection, and preventive security controls. IMY further determined that these deficiencies reflected passivity and inadequate security governance, and therefore the security level was not appropriate given the scale of the data processing and the sensitivity of the data, especially considering that a large portion of the data concerned children. As a result, IMY held that the processor breached Article 32 GDPR and imposed an administrative sanction fee of SEK 6,000,000 (€560,000)