IMY’s administrative fine against Sportadmin – what do the IT security requirements mean in practice?

The Data Protection Agency has imposed an administrative fine of SEK 6 million on Sportadmin following a large-scale cyberattack. The attack exposed a substantial volume of personal data, including information relating to children and young people. The Agency considers that the company failed to maintain a level of security appropriate to the risks arising from the processing and concludes that the requirements in article 32 of the GDPR were breached – a scenario where advice from an experienced GDPR lawyer can be decisive in achieving the right level of technical and organisational security measures.

The case illustrates the high bar set for technical and organisational security measures when handling large datasets and sensitive personal data, especially where children are data subjects. Basic IT safeguards are not sufficient – security must be risk-based, actively managed and continuously improved.

What happened in the Sportadmin case?

The Agency’s decision follows a cyberattack against Sportadmin in January 2025. The attacker accessed data on more than 2.1 million individuals, which was subsequently published on the Darknet.

The leaked data included, among other things:

• names and contact details,
• personal identity numbers,
• the sport and association with which the data subject was linked,
• health data, i.e. special categories of personal data, and
• in some instances, protected personal data.

A large proportion of the data related to children and young people. When information about children, health and protected personal data falls into the wrong hands, the consequences can be long term and difficult to foresee. The Agency also stresses that parents should be able to trust that appropriate security measures are in place when they provide information about their children in this type of system.

The Agency’s assessment: inadequate security level and passivity

The Agency’s review identified both technical and organisational shortcomings in Sportadmin’s handling. A central element of the assessment is that the company had long been aware of weaknesses in its systems and areas of heightened attack risk prior to the incident.

Although certain actions were taken, the Agency considers the work insufficient. It notes, among other things, that:

• known weaknesses persisted for an extended period without adequate remediation,
• there were no routines to detect deficiencies in existing security measures, and
• the company lacked a capability to detect intrusions and intrusion attempts in real time.

The Agency underlines that cyberattacks can never be entirely ruled out, but the controller must ensure a security level tailored to the personal data being processed. With stronger detection and monitoring in place, Sportadmin would have been better positioned to prevent or at least limit the damage.

Against this background, the Agency finds that Sportadmin has breached article 32 of the GDPR and imposes an administrative fine of SEK 6 million.

Article 32 GDPR – what do “appropriate” technical and organisational security measures mean?

Article 32 of the GDPR sets out the general security obligation for personal data processing. The provision is risk based: the level of security must be appropriate to the risks posed to the rights and freedoms of data subjects.

In assessing this, one should consider, among other factors:

• the nature, scope, context and purposes of the processing,
• whether special categories of personal data, such as health, are involved,
• whether children are data subjects, and
• the likelihood and severity of potential adverse consequences.

Article 32 lists examples of technical and organisational security measures that may be relevant, such as encryption, access control, the ability to ensure confidentiality, integrity and availability, as well as regular testing and evaluation of security measures. The appropriate combination in any given case is a matter of judgement, but the need for structure and documentation is clear.

What can other organisations take away?

Although the decision concerns Sportadmin specifically, the reasoning is relevant for many others: sports associations, federations, platform providers, SaaS companies and organisations that handle large volumes of personal data.

• Children’s and sensitive data demand stronger protection – if you process data on children, health or protected personal data, your security level must be high.
• Known weaknesses must be prioritised – being aware of vulnerabilities without acting promptly can weigh heavily in a supervisory review.
• Detection is part of security – logging, monitoring and real-time intrusion detection are central to the article 32 perspective and to technical and organisational security measures.
• Security is more than technology – organisational aspects such as procedures, clear accountability and follow-up are as important as technical solutions.

For controllers, it is not sufficient to point to a supplier. You must demonstrate that you have assessed and followed up the supplier’s security level, particularly for services that handle many data subjects or especially sensitive data.

Common weaknesses in GDPR-aligned IT security

The Sportadmin case highlights recurring weaknesses that often cause practical challenges:

• Insufficient risk analysis – no up-to-date, documented assessment of the actual processing risks.
• Unprioritised vulnerabilities – known security gaps slip to the bottom of the to-do list.
• Lack of monitoring – logging, alerting and real-time monitoring are underdeveloped or absent.
• Unclear allocation of responsibility – accountability for different parts of the security work is unclear, both internally and vis-à-vis suppliers.
• No continuous improvement – security is treated as a project rather than an ongoing process with review and revision.

When should you bring in legal expertise?

IT security under the GDPR often sits at the intersection of law and technology. Legal advice can be especially valuable when:

• you procure or renegotiate systems that will process large volumes of personal data or sensitive data,
• you need to design or update your article 32 security framework,
• you want to clarify the allocation of responsibility between controller and processor, and
• you have suffered an incident and need to assess notification duties and information to data subjects.

Structured GDPR compliance is ultimately about trust – that data subjects, customers, members and parents can rely on responsible handling of their data.

At Morling Consulting, our data protection lawyers support companies, associations and digital service providers across Europe in analysing risks, implementing appropriate technical and organisational security measures, and preparing contracts and procedures that withstand GDPR scrutiny.