Court upholds data breach ruling against Omonia, APOEL, and processing company but cancels fines

The Administrative Court of Cyprus has upheld the decision by the Commissioner for Personal Data Protection, confirming that the football clubs Omonia and APOEL, along with the data processing company behind the stadium360.net platform, violated the General Data Protection Regulation. The issue originated on July 26, 2021, when a journalist reported a security vulnerability on the platform that exposed fans' names, identification numbers, and photographs. The Commissioner previously imposed administrative fines of 40,000 euros on APOEL, 10,000 euros on Omonia, and 25,000 euros on the processing company on September 6, 2021. The Court affirmed the finding of a violation, noting that the clubs themselves had acknowledged the breach by submitting notification forms. However, the Court ultimately cancelled the imposed fines, citing a lack of adherence to the principle of proportionality. APOEL had challenged only a portion of its fine, but the judicial outcome effectively nullified the financial penalties for all parties involved.