HIV Scotland – €11,800 Fine (United Kingdom, 2021)

€11,800Information Commissioner's Office18 October 2021United Kingdom
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

HIV Scotland was fined after a mistake revealed the email addresses of 65 members of a support network for people living with HIV. This breach could expose sensitive information about individuals' health, highlighting the need for careful handling of personal data. The organization was fined €11,700 for not having proper security measures.

What happened

HIV Scotland accidentally sent an email that revealed the email addresses of 65 members of its Community Advisory Network.

Who was affected

105 members of the Community Advisory Network, including 65 whose email addresses were exposed.

What the authority found

The Information Commissioner's Office found that HIV Scotland did not have adequate technical and organizational measures to protect personal data.

Why this matters

This case illustrates the risks of mishandling personal data, especially in sensitive areas like health. Organizations must implement robust training and policies to safeguard user information.

GDPR Articles Cited

Art. 5(1)(f) GDPR
Art. 32(1) GDPR
United Kingdom enforcementInformation Commissioner's Office actionsAll HIV Scotland actions
Full Legal Summary
Detailed

The British DPA (ICO) has imposed a fine of EUR 11,800 on the non-profit organization HIV Scotland. The controller had sent an e-mail to 105 people, with e-mail addresses on the mailing list visible to all recipients. In the case of 65 of the e-mail addresses, persons could be identified by name. It was possible to draw conclusions about the individuals' HIV status or risk based on the personal data provided.The DPA found that the organization had failed to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. For example, the organization had conducted inadequate employee training and used improper methods for sending bulk e-mails via blind copy (bcc).

Related Enforcement Actions (0)

No other enforcement actions found for HIV Scotland in UK

This is the only recorded action for this entity in this jurisdiction.

Details

Fine Date

18 October 2021

Authority

Information Commissioner's Office

Fine Amount

€11,800

Enforcement Tracker ID

ETid-883

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. HIV Scotland - United Kingdom (2021). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: