Mermaids – €29,250 Fine (United Kingdom, 2021)

Mermaids is a registered charity supporting children, young people and their families in relation to gender non-conformity. In 2016, Mermaids created an internet-based email group service at https://groups.io, overseen by a third party in the USA. This email group was intended to be shared between the CEO of Mermaids and 12 trustees. The default security and privacy settings were left in place, including "Group listed in directory, publicly viewable messages". Mermaids was notified in 2019 by a user of the charity that internal emails, sent using the groups.io email group service, were publicly available online and were searchable through search engines. These contained personal data, including special category data. The service user, who's child is gender non-conforming, was made aware that her child's name, date of birth, mental and physical health were available online, as well as the mother's name, telephone number and address. Overall, 780 pages of confidential emails were available online. This corresponded to 550 data subjects. 15 data subjects had special category data concerning them made available online (mental or physical health; sex life; sexual orientation) and 9 data subject's personal data was considered sensitive in the context. Of these 24 data subjects, 4 were 13 years old or under. Mermaids notified the ICO on the day it was told about this. The Information Commissioner's Office (ICO) considered that Mermaids processed emails on an email group without appropriate restricted access settings. Due to this failure, third parties could gain unauthorised access to emails containing personal data, including special category data. The ICO deemed this in contravention of the principle of integrity and confidentiality (Article 5(1)(f) GDPR). The ICO also considered that Mermaids failed to satisfy its obligations under Articles 32(1) and 32(2) GDPR. It did not have adequate security measures in place to protect the email group affected. As a consequ