The Data Protection Agency opens an investigation into Sportadmin

This post provides brief background to the Sportadmin case. For an analysis of the Authority’s decision and what the IT security requirements mean in practice, see: IMY’s administrative fine against Sportadmin – what do the IT security requirements mean in practice?

Following the extensive data breach affecting Sportadmin in January 2025 — reportedly impacting more than 2 million individuals, including many children — the Data Protection Agency has initiated a formal review of the provider. This is supervision under the General Data Protection Regulation (GDPR) focusing on whether Sportadmin had adequate security measures in place.

The review is based on Sportadmin’s own notification, more than 1,650 incident reports from associations using the service, and around twenty complaints from data subjects. The Agency’s questions cover, among other things, the categories of personal data exposed (for example sensitive personal data and children’s data), how the incident was handled, and how responsibility is allocated between Sportadmin and its customers (the associations).

Sportadmin often acts as a data processor, while the associations are the data controller. A processor can itself be investigated and be subject to administrative fines if it fails to implement an appropriate level of security. In this case, the Data Protection Agency is examining whether Sportadmin carried out sufficient risk assessments and preventive measures pursuant to GDPR Article 32, including the adequacy of its incident management procedures.

Certain personal data benefit from enhanced protection under the GDPR. The Agency has asked whether data concerning children or other sensitive categories such as health data or protected identities may have been leaked. Media reports have also suggested that some personal data are decades old, which could help explain the large number of individuals affected and raises questions about data retention practices.

What can we learn from the Sportadmin data breach?

• Review the data processing agreement: Are security measures mandated? Are data deleted on a rolling basis when no longer needed? How is responsibility allocated for incidents?
• Document risk assessments: What has been done before any potential incident?
• Ensure the provider complies with the GDPR — before an incident occurs.

Practical next steps for controllers and processors

Verify roles and responsibilities between the data controller and the data processor, align controller obligations under GDPR with contractual commitments, and test incident management procedures against realistic scenarios. Revisit GDPR Article 32 controls and other preventive measures, and embed proportionate data retention rules, especially where sensitive personal data such as health data or protected identities are handled.

Morling Consulting follows the development of the Data Protection Agency’s supervision. Our GDPR experts assist with reviewing the data processing agreement, advising on children’s privacy and providing legal support in incident handling. We deliver gdpr compliance consulting and help you act correctly if an incident has occurred — and to prevent the next one — for clients across Europe.