On January 26, the Swedish Privacy Protection Agency (IMY) found Sportadmin i Skandinavien AB in violation of data protection regulation and decided to impose an administrative fine of SEK 6 million ($ 650K). The decision came after the agency investigated a data breach the company had suffered where personal data pertaining to more than 2 million Swedes where leaked - many children.

In accordance with article 32.1 GDPR, companies are required to regularly asses the effectiveness of their system security. While Sportadmin argued that the leak was an isolated incident and that the company had taken extensive measures to mitigate the damage, the agency concluded that the company had been negligent in taking adequate safety measures prior to the attack.

The IMY decision is expected to be appealed.