Cyprus’ two leading football clubs and their ticketing partner have been fined a total of more than €100,000 over data protection failures.
APOEL FC, the 28-times national league winners, and current champions Omonia FC were each fined €40,000 by Cyprus’ Personal Data Protection Officer, Irene Nicolaidou Loizidou.
Contractor Hellenic Technical Enterprises, which designed and developed the Nicosia-based clubs’ ticketing systems, was also fined €25,000.
Action was taken after it was discovered that a “security gap” allowed an unauthorised person had been able to retrieve from the websites of the clubs, details of people who had bought tickets, including name, fan card number and ID card number. The information could have been used to download someone else’s fan card – a requirement to buy tickets for Cypriot football fixtures – from the Cyprus Sports Organisation website.
The three parties were found to have violated the General Data Protection Regulation in a ruling issued by Nicolaidou Loizidou last month. After asking for submissions from the three parties, they were each fined this week for “failure to implement appropriate technical and organizational security measures”.
An instruction was also given to inform the data subjects of the breach.