Background information

• Date of final decision: 26 January 2026
• National case
• Controller:  Sportadmin i Skandinavien AB
• Legal Reference(s): Article 32 (Security of processing), Article 83 (General conditions for imposing administrative fines)
• Decision: Administrative fine
• Key words: Administrative fine, Children, Data security, Hacker attack, Sensitive data

Summary of the Decision

Origin of the case

The Swedish Supervisory Authority for Privacy Protection (IMY) has initiated an investigation of the company Sportadmin following a cyber attack in which the attacker gained access to data relating to more than 2.1 million individuals and subsequently published it on the Darknet. Sportadmin provides digital communication services for sports clubs and other organisations. Among other things, they provide an app that is used by the club's leaders, members and members' guardians and they allow users to do administration online. The leaked data mainly concerned children and young people, including names and contact details, personal identity numbers, and information about which sport and sports club the individuals were associated with. The leaked data also included sensitive health data and, to some extent, data about persons with protected identity.

Key Findings

Swedish SA's supervision identified both technical and organisational deficiencies. For a long time prior to the attack, Sportadmin was aware of certain weaknesses in its systems and of areas with elevated risks of attack. The company worked to address these issues but is deemed not to have done enough. Sportadmin also lacked the routines required to detect deficiencies in existing security measures and did not have a system in place to detect intrusions and attempted intrusions in real time. Had such measures been in place, Sportadmin would have been better positioned to prevent the incident or, at the very least, limit the damage.

Decision 

Swedish SA finds that Sportadmin has violated Article 32.1 GDPR and imposes an administrative fine of SEK 6 000 000 (approximately 566 000 euro).

For further information: Decision in national language: Sanktionsavgift mot Sportadmin för bristande IT-säkerhet (Swedish)