IMY (Sweden) – IMY-2025-7801

26 January 2026

Xz:

{{DPAdecisionBOX

|Case_Number_Name=IMY-2025-7801
|ECLI=

|Original_Source_Name_1=IMY
|Original_Source_Link_1=https://www.imy.se/globalassets/dokument/tillsynsskrivelser/2026/beslut-efter-tillsyn-enligt-gdpr_sportadmin-i-skandinavien-ab.pdf
|Original_Source_Language_1=Swedish
|Original_Source_Language__Code_1=SV
|Original_Source_Name_2=
|Original_Source_Link_2=
|Original_Source_Language_2=
|Original_Source_Language__Code_2=

|EU_Law_Name_1=
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Link_2=

|National_Law_Name_1=
|National_Law_Link_1=
|National_Law_Name_2=
|National_Law_Link_2=

|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=Unknown
|Appeal_To_Link=

|Initial_Contributor=
|
}}

The DPA fined a digital communication services provider €560,000 (SEK 6,000,000) after a cyberattack exposed personal data of over 2.1 million people, and the controller was found to have insufficient security measures in violation of [[Article 32 GDPR]].

== English Summary ==

=== Facts ===
Sportadmin i Skandinavien AB (the controller) operated a digital administration platform used by sports clubs and associations. The platform processed personal data of over 2.1 million data subjects, primarily children and young people.

In January 2025, the controller experienced a cyberattack that enabled the attacker to access and extract a large volume of personal data. The stolen data included names, contact details, social security numbers, association affiliation, and sensitive health data. The data were later published on the Darknet, exposing the affected data subjects to significant privacy risks.

The controller reported the breach to the Swedish DPA (IMY), the day after the cyberattack occurred. Then IMY initiated an investigation to assess whether the controller had implemented appropriate technical and organizational security measures under [[Article 32 GDPR]].

=== Holding ===
IMY held that the controller violated [[Article 32 GDPR]] by failing to implement appropriate technical and organizational measures to protect personal data.

IMY found that controller’s security measures were insufficient and disproportionate to the risks associated with the processing and concluded that the controller was aware of vulnerabilities and elevated risks in its systems prior to the attack, yet failed to take adequate corrective action. The controller lacked proper risk analysis, security monitoring, intrusion detection, and preventive security controls.

IMY further determined that these deficiencies reflected passivity and inadequate security governance, and therefore the security level was not appropriate given the scale of the data processing and the sensitivity of the data, especially considering that a large portion of the data concerned children.

As a result, IMY held that the controller breached [[Article 32 GDPR]] and imposed an administrative sanction fee of €560,000 (SEK 6,000,000).

== Comment ==
”Share your comments here!”

== Further Resources ==
”Share blogs or news articles here!”

== English Machine Translation of the Decision ==
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.

<pre>
1(18)

Sportadmin i Skandinavien AB

Case number:
IMY-2025-7801 Decision after supervision according to

Date: data protection regulation –
2026-01-26
Sportadmin i Skandinavien AB

Decision of the Swedish Data Protection Authority

The Swedish Data Protection Authority finds that Sportadmin i Skandinavien AB, 556773-
0832, has processed personal data in violation of Article 32(1) of the Data Protection Regulation 1

by failing to take appropriate technical and organizational measures to ensure
an appropriate level of security for the personal data in its services before and at the time
of the personal data incident that was found on 16 January 2025.

The Swedish Data Protection Authority decides, based on Articles 58(2) and 83 of
the Data Protection Regulation, that Sportadmin i Skandinavien AB shall pay an administrative
sanction fee of SEK 6,000,000 for the violation of Article 32.1 of

the Data Protection Regulation.

Statement of the supervisory case

Background

The Swedish Data Protection Authority (IMY) has initiated supervision of Sportadmin i Skandinavien
AB (Sportadmin) due to a personal data incident that occurred on
16 January 2025 and was reported by Sportadmin to IMY on 17 January 2025.

Sportadmin provides digital communication services (the services) in the form of, among other things,
a web-based administration tool for member management, invoicing and

websites for sports clubs and other organizations (the clubs) as well as a
mobile application used by the clubs’ leaders, members and members’
guardians.

Sportadmin’s personal data breach notification states, among other things, that
Postal address: the services, in which personal data for which Sportadmin is both the data controller
Box 8114 and the data processor is processed, have been subjected to a data breach by an external
104 20 Stockholm
attacker (the threat actor). It is further stated that at the time of the notification there were signs
Website:
www.imy.se
E-mail:
imy@imy.se
1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing
08-657 61 00 Directive 95/46/EC (General Data Protection Regulation).Integrity Protection Authority Case number: IMY-2025-7801 2(18)
Date: 2026-01-26

that data had been transferred to the threat actor and that it could not be excluded that the threat actor
thereby gained access to personal data.

IMY’s review of the case concerns the question of whether Sportadmin had taken appropriate technical and organizational security measures in accordance with Article 32(1) of the General Data Protection Regulation before and at the time of the personal data incident to protect the personal data processed in the services.

What Sportadmin has stated

Sportadmin believes that the company has not violated the General Data Protection Regulation and that the security measures taken were sufficient in relation to the personal data processed in the services and has further stated the following in particular.

Summary of the breach
On January 16, 2025, Sportadmin discovered that there had been a breach in the services and
initiated an investigation with the support of an external security partner. The system logs

reviewed during the investigation show, among other things, the following.

The breach on January 16th occurred when a threat actor carried out a so-called SQL injection via a specific variable, which was introduced on one of Sportadmin’s websites, which lacked protection against this type of attack. The investigation indicates that there have also been repeated attempts at SQL injections since the morning of January 14th, 2025. Due to excessive permissions in the parts of the service where the breach occurred, the threat actor was able to gain access to Sportadmin’s server. The logs showed abnormal outgoing traffic from the production environment in the early morning of January 16th, 2025, which Sportadmin assessed at the time of the breach as a likely sign of data transfer from the environment. Initially, the company could not confirm that such a transfer had occurred. However, on March 14th, 2025, all retrieved and stolen data, which contained personal data, was published on the Darknet.

The probable cause of the breach and its scope
Sportadmin’s investigation shows that the breach was likely made possible by a threat actor being able to access the systems through an SQL injection.

In connection with a change to the login procedure for club websites on

28 June 2022, a code change was made, whereby a special variable was introduced on
one of Sportadmin’s websites. When the variable was added, Sportadmin neglected to apply
its existing security method for protection against SQL injections. Since the change

did not introduce a new variable into the systems, but rather concerned the reuse of a
variable that Sportadmin considered to be secure and which usually does not require

the application of additional security methods, the flaw was not discovered. The unprotected
variable was then used directly when communicating with the database, which resulted in

an increased risk of data breaches using SQL injections. It was at this variable
that the current SQL injection was carried out and which likely caused the incident.

2 IMY’s explanation: An SQL injection is a method of data breach that exploits a vulnerability in SQL. SQL is a
programming language used to query relational databases and to change and update
databases.
3 IMY’s explanation: Variables are used in programs to store the data that is being processed for the short term. These can
for example contain information about the user such as name and email address, but also other information that affects
the functionality of the service.Integrity Protection Authority Case number: IMY-2025-7801 3(18)

Date: 2026-01-26

Two factors that contributed to the extent of the incident concerned the permissions and rights
for the SQL user and the Windows user. The SQL user had higher

rights than necessary due to certain compatibility requirements with Sportadmin’s older
system. Furthermore, the Windows user running the SQL server service on the 6

occasion had higher rights than previously known. The SQL server also allowed the execution of
external program files, such as Powershell scripts.

Code review routines and monitoring systems
The code change implemented in June 2022 was classified as a

high-risk change and reviews were therefore carried out by additional people.
The lack of protection against SQL injections was nevertheless not caught because

the company had shortcomings in its review routines for more complex code changes. The company
has identified the following shortcomings.

• The risk classification was too one-sided because it was mainly based on
the impact on the login process and the risk of improper access to

user data. This meant that other types of attacks, such as SQL
injections, were not considered sufficiently.

• The combination of a technically complex environment where older (legacy) code was mixed
with newer implementations, contributed to the vulnerability in question not being
identified during the review.

• There was a lack of additional review routines when changing code that entailed
a high risk in combination with particular dependence on older code. For

example, they could have included mandatory review by more people. Furthermore,
automated security reviews of the code could have identified vulnerabilities.

• The code review was subjective and unclear. Since code review at

the time was not a mandatory step when changing code and
the risk assessment criteria were subjective, the decision to

conduct a review was based on an individual assessment in the individual case.

Sportadmin’s monitoring system did not raise any alarms about suspicious activities in connection
with the intrusion on 14 January 2025 and onwards. The program used constantly monitors and analyzes hardware, software (software) and usage to
identify any abnormal activity in terms of performance or load, but is not a tool for real-time monitoring and detection of intrusion attempts. Logs from
the system were manually reviewed by the company on a daily basis. Through analysis of logs
or in the event of unexpected changes in system performance, suspicious activity
could be identified.
However, the monitoring system warned of abnormal activity when one of Sportadmin’s
servers stopped responding on January 16, 2025. This led to a manual review and
detection of the ongoing intrusion. In the subsequent investigation,
the system further enabled access to logs. The logs were used, among other things, to understand the likely methods the threat actor used to gain access to the system and to subsequently determine that the intrusion attempts had been ongoing since January 14, 2025.

4IMY’s explanation: A SQL user is an account that can be used to connect to a SQL server, which is a
server that has the software required to manage the database.
5IMY’s explanation: A Windows user is an account that can be used in the Microsoft Windows operating system
(for example, Windows Server 2025 or Windows 11) to log in to the computer and/or run specific programs.
6IMY’s explanation: Services (smaller programs) can run in the background on a server to perform specific tasks.
SQL service is an example of a database-related service that communicates with the database.Integrity Protection Authority Case number: IMY-2025-7801 4(18)
Date: 2026-01-26

Risk assessments and security measures taken

Sportadmin has a structured security and data protection work where risk assessments
are discussed and updated on an ongoing basis. In addition, major annual
audits were carried out in 2021 and 2022 and at the turn of the year 2023/2024. During

the audits, Sportadmin consistently identified increased risks of data breaches
in the form of, among other things, SQL injections due to parts of the system being written in

older code. Sportadmin therefore carried out continuous work to reduce the risks
by, among other things, adding and updating protection for SQL injections at the same time
as the company gradually transitioned to modern technology.

The publicly exposed parts of Sportadmin’s system, such as club websites,
were assessed as areas with an increased risk level for potential data leakage or
data destruction as a consequence. Therefore, targeted efforts were carried out to
identify and address vulnerabilities related to SQL injections in the parts of
the systems that had not yet been migrated to modern technology. At the beginning of 2023, a
strengthened security method against SQL injections was introduced. However, when the new security method
was implemented, there was no knowledge that a variable was unprotected.
The security method was therefore not applied to this variable.
In May and June 2024, the possibility of introducing additional protection for the services
7
was investigated by implementing a so-called Web Application Firewall (WAF). During the tests,
problems arose that meant that the solution was not considered feasible at the time
because it required a high degree of manual handling and would entail high

implementation costs. The testing was therefore temporarily paused with the intention of
identifying a more sustainable solution in the future given the then-current technical environment. At
the time of the incident, work to transition to an SQL user
with limited permissions had also begun, but had not been completed.

Personal data in the services
The personal data incident involved 2,126,075 natural persons, who were identifiable
via personal identification numbers. Since the associations’ activities are primarily focused on
activities for children and young people, this group is most prevalent in the associations’
registers. The services contain several categories of personal data in the form of, among other things,
full names and contact details, gender, personal identification number, relationship between guardian
and member, nationality and the sport and association to which a data subject has been linked
to. The personal data processed in the services also includes sensitive
personal data about disabilities and allergies. It has also emerged that
to some extent protected personal data was present in the services, even though
the starting point was that such data would not be processed in the services.

Measures taken in response to the incident
There was a complete shutdown of all services approximately one hour after
the incident was discovered. Sportadmin handled the incident as a serious
security incident based on three parallel focus areas in the form of minimising damage
for customers and users, restoring normal operations and communication towards
the associations and users. Sportadmin also implemented extensive measures in order to
minimize the risk of a similar incident occurring. The company took

several technical measures in a short time, including extensive
reviews of existing functionality and activation of a new production environment in order to
prevent the threat actor from continuing, or further, access to the personal data. In the

7 IMY’s explanation: WAF is a type of firewall used to protect web applications against attacks and
intrusions by stopping malicious requests before they reach the server.Integrity Protection Authority Case number: IMY-2025-7801 5(18)
Date: 2026-01-26

new production environment that went into operation on January 18, 2024, several enhanced
protections against SQL injections were introduced, for example, WAF was activated.

Sportadmin informed and urged all associations to report the incident to
IMY as their own personal data incidents, with reference to the information in

Sportadmin’s incident report. Sportadmin worked, in consultation with IMY, to make
it as easy as possible for all parties to submit correct and complete
reports to IMY. The company had over 2000 outreach calls with the associations,

carried out by a large number of employees over a very short period of time, to inform about
the discussions with IMY and to support the work of connecting to Sportadmin’s
reporting. This resulted in the vast majority of associations, nearly 1700, submitting
reports within 72 hours of the incident. Sportadmin kept the associations
informed of the status of the case and supported their contact with the users.

Sportadmin further obtained consent from the associations to act on their behalf to
send out information to all data subjects about the incident. Due to
the information, the data subjects were able to exercise their rights under
the Data Protection Regulation better than if the associations had provided the information,
because it made it easy to see which personal data had been processed and
by which associations. The company has stated that the action resulted in the data subjects gaining
access to information within a short time and before the threat actor released the data.
This meant, among other things, that the data subjects could immediately take precautionary measures
regarding their personal data.

Justification of the decision

Applicable provisions, etc.

Data controller

According to Article 4(7) of the Data Protection Regulation, a natural
or legal person, public authority, institution or other body which, alone or
jointly with others, determines the purposes and means of
the processing of
personal data. Where the purposes and means of the processing are determined by Union law or the national law of the Member States, the controller or the specific criteria for his or her designation may be provided for in Union law or in the national law of the Member States.

A processor, in accordance with Article 4(8) of the GDPR, means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

A provider of standardised services may act as a processor while its users act as controllers to the extent that the latter determine the purposes of the processing and, in any event, exercise significant influence over the methods of the processing. It should be noted, however, that such a service provider may act as a controller for certain processing activities and as a processor for other activities. In order to determine how

personal data responsibility is distributed, an analysis is required for each activity

8See European Data Protection Board (EDPB) Guidelines 07/2020 on the concepts of controller and
processor in the GDPR, p. 85.Integritetsskyddsmyndigheten Filing number: IMY-2025-7801 6(18)
Date: 2026-01-26

of the degree of influence each actor has had in order to determine who
9
determined the purposes and means of the processing in question.

The requirement to take appropriate safeguards
According to Article 32(1) of the Data Protection Regulation, both data controllers and
processors shall take appropriate technical and organisational measures to

ensure a level of security that is appropriate in relation to the risk of the processing.
When assessing which technical and organisational measures are appropriate, the

state of the art, the costs of implementation and the nature,

scope, context and purposes of the processing, as well as the risks to the rights

and freedoms of natural persons,

shall be taken into account.

According to Article 32(1) of the Regulation, appropriate security measures shall include, where

appropriate,

(a) pseudonymisation and encryption of personal data,

(b) the ability to ensure the confidentiality, integrity, availability

and resilience of the processing systems and services at all times,

reasonable time in the event of a physical or technical incident,

(d) a procedure to regularly test, examine and evaluate the effectiveness

of the technical and organisational measures to ensure

the security of the processing.

According to Article 32(2) of the GDPR, when assessing the appropriate level of security, particular account shall be taken of the risks presented by the processing, in particular against accidental or unlawful destruction, loss or alteration, or against unauthorised disclosure of or access to the personal data transmitted, stored or otherwise processed.

The Court of Justice of the European Union has stated that the reference in Article 32 to a “level of security appropriate to the risk” and “appropriate level of security” respectively shows that the Regulation establishes a risk management system and that the Regulation is not intended to eliminate the risks of personal data breaches.

The wording of the provision merely imposes an obligation on the controller to take technical and organisational measures to avoid personal data breaches as far as possible. The assessment of the appropriateness of such measures 10
must be made on the basis of the specific circumstances of the individual case.

Recital 75 of the GDPR states that when assessing the risk to the rights and freedoms of natural

persons, various factors should be taken into account. Among others, it mentions
personal data covered by a duty of professional secrecy, data concerning health or sex life, whether
personal data concerning vulnerable natural persons, in particular
children, are processed, or whether the processing involves a large number of personal data and concerns
a large number of data subjects. Recital 76 of the GDPR states that the likelihood and
seriousness of the risk to the rights and freedoms of the data subject should be determined by
the nature, scope, context and purposes of the processing. The risk should be evaluated
on the basis of an objective assessment, which determines whether the processing
involves a risk or a high risk.

9See EDPB Guidelines 07/2020, p. 80.
1See Judgment of the Court of Justice of the European Union of 14 December 2023, Natsionalna agentsia za prihodite, C-340/21, EU:C:2023:986,
p. 29 and 30.Integrity Protection Authority Case number: IMY-2025-7801 7(18)
Date: 2026-01-26

Sensitive personal data and personal data deserving special protection
Data concerning health belong to the special categories of personal data, so-called

sensitive personal data, which are given particularly strong protection under
the GDPR. As a general rule, the processing of such
personal data is prohibited under Article 9(1) of the GDPR, unless the processing
falls under one of the exceptions in Article 9(2) of the Regulation.

Data concerning health is defined in Article 4(15) of the GDPR as
personal data relating to the physical or mental health of a natural person which provide
information about his or her health status. Recital 35 of the GDPR states that
personal data concerning health should include all data relating to the health of a
data subject which provide information about the past,

present or future physical or mental health of the data subject.

Recital 38 of the GDPR states that children’s personal data deserve special

protection, as children may be less aware of the risks, consequences and
safeguards involved and of their rights with regard to the processing of personal data.
Such special protection should apply in particular to the collection of personal data with

regard to children when services offered directly to children are used.

IMY’s assessment

Personal data responsibility
The investigation into the case shows that Sportadmin mainly acts as

a personal data processor for the personal data processed in the services, and to a limited extent as a personal data controller. Since the obligation to take appropriate
measures under Article 32 of the GDPR applies to both

personal data controllers and personal data processors, IMY will not assess in more detail the role the company has had in relation to the respective
processing activity.

The processing has required a high level of security
According to Article 32 of the General Data Protection Regulation, Sportadmin has had an obligation to take

appropriate security measures to protect the personal data processed in
the services. The investigation shows that it is the company that designs and provides
the services in question and has thus had the actual opportunity to
implement such measures. When assessing which measures were appropriate in
the current case, IMY considers the following.

The processing of personal data in the services has been extensive. According to Sportadmin
, 2,126,075 natural persons, who were identifiable via personal identification numbers, have been covered
by the personal data incident. The services, which have been used by a large number
of sports clubs throughout Sweden, have also contained a large amount of personal data about
each registered person, such as full name and contact information, gender, personal identification number,
relationship between member and guardian, nationality and the sport and club to which a registered person has been linked. IMY assesses that access to the information has made it
possible to directly read a large number of data about each data subject, which has made
the processing particularly sensitive to privacy.

Furthermore, IMY believes that the nature of the personal data processed in the services has
been such that the processing has entailed high risks for the rights and

freedoms of the data subjects. The personal data in question has mainly concerned children who are particularly
worthy of protection according to the Data Protection Regulation. Furthermore, the services have contained sensitiveIntegrity Protection Authority Filing number: IMY-2025-7801 8(18)
Date: 2026-01-26

personal data about health in the form of allergies and disabilities. Processing
of such data can constitute a particularly serious interference with the fundamental
rights regarding respect for privacy and protection of personal data. 11

The investigation also shows that the services have contained data worthy of protection in the form of
personal identity numbers and protected personal data.

Overall, the scope of the processing, in terms of both the number of affected
data subjects, who were mainly children, and the extensive amount of data
about each data subject, as well as the nature of the data, has entailed a high risk to the rights and freedoms of natural
persons. Unauthorised disclosure of or access to
the personal data could have serious consequences for the affected
persons. This has required a high level of security for the processing in the form of
sufficient security measures to ensure the resilience of the services and
the effectiveness of the technical and organisational measures taken to
maintain the security of the processing.

Sportadmin has not taken sufficient security measures
IMY shall then assess whether Sportadmin has taken the technical and organisational
measures that, in relation to the high risks involved, have been appropriate to
protect the personal data in the services.

Insufficient measures to prevent and limit the scope of the breach

The investigation into the case shows that Sportadmin, in connection with a change to the
login procedure for association websites on 28 June 2022 on a certain website

introduced a variable that lacked the protection that the company applied at the time against
SQL attacks. IMY notes that Sportadmin’s services were thus left
exposed to increased risks of breaches in the form of SQL injections. Even though

Sportadmin introduced a reinforced security method against SQL injections at the beginning of 2023
the services remained vulnerable due to Sportadmin not noticing the

current deficiency in the form of the unprotected variable when implementing the method.

Sportadmin has stated that the breach was likely carried out through this variable. IMY
has no reason to question this information.

IMY assesses, also taking into account that it cannot be established with full certainty
what caused the breach, that Sportadmin has not had sufficient protection to
prevent the type of data breach that the company was exposed to. Sportadmin has since
2021 repeatedly identified that there were increased risks of intrusion into the services
through SQL injections. In the case, it has emerged that a variable nevertheless had
inadequate protection against such attacks. The investigation also shows that Sportadmin
has refrained from introducing additional layers of protection, for example in the form of WAF, which could have
enabled the detection and prevention of the breach despite the inadequate protection
for the variable. It has also not emerged that the company has instead implemented any
other technical measures that could have prevented or made it more difficult to
carry out SQL injections. Instead, such measures have only been implemented after
the personal data incident occurred. In light of the high risks of SQL injections

that have been identified and the serious consequences that such a breach would entail for the data subjects, IMY considers that additional measures to protect
the services against such breaches should have been implemented at an earlier stage.

In addition to the lack of protection against SQL injections, the investigation shows that
Sportadmin, despite the company’s knowledge of the increased risks associated with SQL injections via the publicly exposed parts of the services, has had excessive

rights in the services’ underlying systems. This has enabled the threat actor to
access more information during the breach than if this had not been the case. IMY notes that
a restrictive set of permissions and monitoring of these is a

fundamental security measure that limits the possibility for unauthorized persons to access personal data and that such measures could have limited
the scope of the current breach.

Against this background, IMY assesses overall that Sportadmin has not taken appropriate technical and organizational measures to a sufficient extent in relation to

the risks that exist for data breaches. The personal data has thus not been given sufficient protection against the risk of unauthorized disclosure and unauthorized access.

Insufficient measures to detect the inadequate security measures

IMY notes that Sportadmin has not detected the identified deficiencies in the protection

against SQL injections in connection with the code review that was carried out when the change was made in June
2022, nor during any of the scans that have taken place thereafter. The lack
of such protection has also not been detected in connection with Sportadmin introducing an

updated security method against SQL injections in 2023.

IMY believes that it has been incumbent on Sportadmin to take appropriate measures to
continuously follow up and ensure that the security measures taken have been sufficiently

effective. The identified deficiency in protection against SQL injections has been of such a fundamental nature that Sportadmin should have discovered and addressed it.
However, Sportadmin has not had sufficient routines for code review to discover

the deficiency, which has led to the variable in question being implemented without sufficient
security measures. The company has also not had the ability to, during the long period
from the time the variable was introduced to the time the personal data incident in question occurred

, identify and address the deficiency in question afterwards. In light of the high
risks of SQL injections that Sportadmin has identified and that the company nevertheless has not
discovered that there have been fundamental deficiencies in protection against such

attacks for a long time, IMY assesses that the company’s routines for code review have not been sufficient
to follow up on the effectiveness of the technical and organizational measures in order to
ensure the security of the processing.

Insufficient measures to detect intrusions or attempted intrusions

Sportadmin’s report shows that the monitoring system used by the company
only warned of abnormal activity when the company’s servers stopped responding on January 16,
2025, that is, two days after the intrusion attempts began on January 14, 2025.

According to Sportadmin, the company’s monitoring system has not been a tool for monitoring and detecting intrusion attempts in real time. The monitoring system used has
instead monitored and analyzed hardware, software and usage. Sportadmin has

stated that the company has been able to identify suspicious activity through manual analysis of
logs from the system on a daily basis and in the event of unexpected changes in the system’s
performance.Integrity Protection Authority Case number: IMY-2025-7801 10(18)
Date: 2026-01-26

IMY notes that the technical and organizational security measures that
Sportadmin has taken to monitor security-related events have not been
sufficient to detect or warn of the initial intrusion attempts, the execution of
malicious code from the threat actor or the transfer of personal data. In light of the
high risks that the personal data processing entailed and taking into account that
Sportadmin has identified increased risks for SQL injections for several years, IMY
assesses that Sportadmin should have taken appropriate measures to automatically in real time

identify imminent threats in the form of, for example, intrusion or intrusion attempts that could
lead to unauthorized access. If such measures had been taken, Sportadmin would have been in a better position to prevent or at least limit the damage to the data subjects.

Summary assessment

Overall, IMY assesses that Sportadmin has not taken sufficient measures to
ensure that the personal data processed in the company’s services is protected against the
risk of, among other things, unauthorized disclosure or unauthorized access as a result of a data breach.

Furthermore, the company, despite knowing about the increased risks of SQL injections, has lacked
the ability to identify that the measures taken to protect the services against
such breaches were deficient. The company has also not been in a position to
detect the breach in sufficient time to prevent or at least limit
its consequences. Against this background, IMY assesses that Sportadmin has
processed personal data in violation of Article 32(1) of the Data Protection Regulation by
not having taken appropriate technical and organizational measures to ensure an
appropriate level of security for personal data in the services before and at the time of the
personal data incident that was identified on 16 January 2025.

Choice of intervention

What Sportadmin has stated

Sportadmin has essentially stated the following regarding the choice of corrective action.

If IMY assesses that Sportadmin has processed personal data in violation of Article 32
, firstly no penalty fee shall be paid and secondly the penalty fee

shall be set at a low amount.

The incident occurred due to an external actor exploiting a temporary weakness in

Sportadmin’s IT security system and has not been due to the company having a generally
insufficient or substandard security system. Sportadmin has taken extensive
technical and organizational security measures for the personal data in the services.

these are not deemed sufficient, the company has neither acted intentionally nor negligent
by not taking protective measures beyond what was applied at the time of
the incident. The fact that any shortcoming has not been intentional indicates that
the violation is of a lower severity. Furthermore, only 115 associations and

25 members have contacted Sportadmin with compensation claims due to lack of
functionality in the services and because the incident has caused concern and uncertainty for
the members. However, finding a situation unpleasant is not the same as
being affected by real damage. Based on the total number of individuals affected by the incident
it is a very low number of people who have, or believe they have, suffered damage.

There are several mitigating circumstances, including that the company has on its own initiative reported the incident to IMY and has cooperated with the authority and taken measures to mitigate the damage to the data subjects. The company has, among other things, taken more extensive measures than required to protect the personal data in the services after the incident, which has resulted in increased operating costs and reduced user-friendliness, which has had a negative impact on the company’s customer satisfaction. Sportadmin has taken a far-reaching responsibility to enable the associations to make incident reports and fulfill their information obligation towards the data subjects. The work has entailed large costs for Sportadmin and had a major impact on the working environment for the employees. The incident has also otherwise resulted in financial
losses for the company due to work other than that related to the incident having to
be deprioritized. Furthermore, the incident has received extensive media coverage in a way that has negatively affected
the company. Sportadmin has not previously been guilty of any violation of
the Data Protection Regulation and has taken extensive measures to minimize the risk
of similar incidents.

Taking into account the security work Sportadmin carried out before and after
the incident in order to limit the damage to the registered users, Sportadmin’s demonstrated
cooperation with IMY, the associations and also the police, and the damage the incident
caused to the company, a sanction fee is not an effective or proportionate measure.
IMY can achieve the same effect with a less intrusive measure in the form of a
reprimand.

It is Sportadmin’s turnover that shall form the basis for calculating a

possible sanction fee. Sportadmin’s parent company only owns 85 percent of the shares
in Sportadmin and does not in any way control the other votes in Sportadmin. There is therefore no presumption that Sportadmin and the parent company constitute an

economic unit. The parent company does not exercise, and does not have the possibility of exercising, a
decisive influence over Sportadmin’s behavior. Sportadmin has continued to be operated
as an independent business unit after the acquisition. Sportadmin constitutes a separate economic
entity, has its own management team and board of directors and a separate office in relation to
its parent company. Sportadmin also has its own operating environment and development organization
and at the time of the incident the company had no operational assistance from
the parent company. Furthermore, no one from the parent company worked for Sportadmin on
a regular basis. At the time of the breach, Sportadmin had only been in the
group for a short time. The parent company has had no operational control and
responsibility for the day-to-day management of Sportadmin’s product development, technical environment
or operations, nor for other departments. Sportadmin thus acts
independently in both strategic and operational matters linked to the design of the services
and the handling of personal data.

Applicable provisions

Choice of remedies and calculation of the amount of the fine

In the event of infringements of the Data Protection Regulation, the IMY has a number of remedies
available to it under Article 58(2)(a) to (j) of the Data Protection Regulation, including
reprimands, injunctions and fines. Article 83(2) states that the IMY shall

impose administrative fines in addition to or instead of the other measures referred to in

Article 58(2), depending on the circumstances of the individual case. According to Article
83(1), each supervisory authority shall ensure that the imposition of administrative

fines in each individual case is effective, proportionate and dissuasive.

Article 83(2) of the Data Protection Regulation sets out the factors to be taken into account in

determining whether an administrative fine should be imposed and what should affect
the amount of the fine. The assessment of the seriousness of the infringement is, among other things, its nature, severity and duration. The European Data Protection Authority Case number: IMY-2025-7801 12(18)
Date: 2026-01-26

The European Data Protection Board (EDPB) has adopted guidelines on the calculation of administrative

fines under the GDPR, which aim to create a
harmonised methodology and principles for the calculation of fines. 13

Pursuant to Article 83(4) of the GDPR, infringements of, among other things,

Article 32 shall be subject to administrative fines of up to EUR 10,000,000 or, in the case of an undertaking, up to two percent of the total worldwide annual turnover

in the preceding business year, whichever is the higher.

In the case of a minor infringement, the IMY may, in accordance with recital 148 of the GDPR, issue a reprimand in accordance with Article 58(2)(b) of the GDPR instead of imposing a penalty payment.

Definition of the concept of undertaking

When determining the maximum amount of a penalty payment to be imposed on an undertaking,

the definition of the concept of undertaking used by the Court of Justice of the European Union in the application of

Articles 101 and 102 of the Treaty on the Functioning of the European Union (TFEU) shall be used. The calculation of the maximum amount for a controller that constitutes or is part of such an undertaking shall be based on a percentage of the total worldwide
15
annual turnover of the undertaking concerned in the preceding business year. The concept of undertaking must also be taken into account in order to assess the actual or material economic capacity of the controller on whom the penalty payment is imposed and thereby to verify whether the penalty payment is effective, proportionate and dissuasive. 16

It is clear from the case-law of the Court of Justice that the concept of undertaking covers any entity which

carries out an economic activity, regardless of its legal form and the way in which it is financed, and whether, in legal terms, it consists of several natural or

legal persons. Different undertakings within the same group may thus form an economic unit and thus constitute an undertaking within the meaning of Articles 101 and 102 of

TFEU. Such an economic unit consists of a single organisation with staff and tangible and intangible assets, which pursues

a specific economic objective on a lasting basis and which may participate in an infringement

18 within the meaning of Article 101(1) TFEU.

The question of whether a parent company and a subsidiary are to be considered part of the same
economic unit largely depends on whether the subsidiary, despite being an independent
legal person, does not independently determine its behaviour on the market but
mainly implements instructions received from the parent company which can be considered to exercise a decisive influence over the subsidiary. The criteria for determining this
are based on the economic, legal and organisational links between
the parent company and its subsidiary, such as the size of the participation, the staff
or organisational links, instructions and the existence of corporate contracts. 19

13
14See EDPB Guidelines 04/2022 on the calculation of administrative fines under the GDPR.
See recital 150 of the GDPR.
15 See the judgment of the European Court of Justice of 5 December 2023, Deutsche Wohnen, C-807/21, EU:C:2023:950, p. 57.
16 See the judgment of the European Court of Justice of 13 February 2025, ILVA, C-383/23, EU:C:2025:84, p. 36.
17 See the judgment of the European Court of Justice of 27 April 2017, Akzo Nobel, C-516/15 P, EU:C:2017:314, p. 48.
18 See the judgment of the European Court of Justice of 6 October 2021, Sumal SL v. Mercedes Benz Trucks España SL, C‑882/19,
EU:C:2021:800, p. 41.
19 See, among other things, the judgments of the European Court of Justice on 20 January 2011, General Química and Others v Commission, C-90/09 P,
EU:C:2011:21, p. 37 and 6 October 2021, Sumal SL v Mercedes Benz Trucks España SL, C-882/19,

EU:C:2021:800, p. 43 and EDPB Guidelines 04/2022, p. 122. Data Protection Authority Case number: IMY-2025-7801 13(18)

Date: 2026-01-26

In order to determine whether there has been an economic unit, it may also be taken into account whether
20
the same persons hold key management positions in the companies of a group.

The Court of Justice of the European Union has stated that the fact that a subsidiary essentially follows
instructions from the parent company and cannot be considered to independently determine
its actions on the market constitutes only an indication of the existence of an economic unit,

but is not the only circumstance that makes the parent company liable. The Court
has also stated that it is not decisive whether the parent company has interfered in

the subsidiary’s day-to-day activities. A parent company may have a decisive influence
on the subsidiary even if it has no concrete right of co-determination or

provides any concrete instructions or guidelines regarding individual parts of
the commercial policy. Consequently, a common commercial policy within a group may also

be indirectly apparent from the overall economic and legal relationship between
the parent company and its subsidiaries. For example, the influence of the parent company on

its subsidiaries regarding the company’s strategy, operating policies and plans,
investments, capacity, financing, personnel matters and legal matters may indirectly
affect the actions of the subsidiary and the group as a whole on the market. 21

According to the case law of the Court of Justice of the European Union, if a parent company owns 100% or almost

100% of the shares in a subsidiary, there is a presumption that the parent company
exercises decisive influence over the subsidiary’s conduct (the so-called Akzo

principle). However, the presumption can be rebutted if the company provides sufficient
evidence to prove that the subsidiary acts independently on the market. 22

IMY’s assessment

A penalty fee shall be imposed

IMY has assessed that Sportadmin has processed personal data in violation of Article 32(1) of
the Data Protection Regulation by failing to take sufficient technical and organisational

measures to protect the personal data processed in the company’s services. From the information provided by Sportadmin in the case, it appears that the unprotected variable, which probably enabled the SQL breach in January 2025, was already introduced in June 2022. The identified shortcomings have led to unauthorized access to a large amount of personal data, which mainly concerned children and included sensitive and particularly sensitive personal data. IMY assesses that this is not a minor violation that could result in a reprimand being issued instead of a penalty fee. The Court of Justice of the European Union has clarified that it is required that the controller has committed an infringement intentionally or negligently in order for administrative penalty fees to be imposed under the Data Protection Regulation. The European Court of Justice has stated that

controllers may be imposed sanctions for actions if they cannot
be considered to have been unaware that the action constituted an infringement, regardless of whether
23
they were aware that they were infringing the provisions of the Data Protection Regulation.

Sportadmin, in its capacity as a data processor, and to a limited extent also

as a data controller, has had a responsibility to comply with the provisions of the Data Protection Regulation

20
See the judgment of the European Court of Justice of 1 July 2010, Knauf Gips KG v Commission, C-407/08 P, EU:C:2010:389, p. 66, 72
21h 85–86.
See the judgment of the European Court of Justice of 10 September 2009, Akzo Nobel and Others v Commission, C-97/08 P, EU:C:2009:536,
22 72 and 73 referring to points 87-94 of the Advocate General’s Opinion of 23 April 2009 in the same case.
See the judgments of the Court of Justice of 10 September 2009, Akzo Nobel and Others v Commission, C-97/08 P,
EU:C:2009:536, p. 59–61 and 14 July 1972, ICI v Commission, C-48/69, EU:C:1972:70, p. 136.
23See the judgments of the Court of Justice of the European Union of 4 May 2023, Nacionalinis visumenes sveikatos centras, C-683/21, EU:C:2023:949,
p. 81 and 5 December 2023, Deutsche Wohnen, C-807/21, EU:C:2023:950, p. 76.Integrity Protection Authority Case number: IMY-2025-7801 14(18)
Date: 2026-01-26

requirement to take appropriate technical and organisational measures to ensure an
adequate level of protection for the personal data processed processed in the services. By not taking such measures, IMY has concluded that Sportadmin processed personal data in violation of Article 32(1) of the General Data Protection Regulation. IMY considers that Sportadmin cannot be considered to have been unaware that the action constituted a violation of the Regulation. Against this background, IMY considers that Sportadmin has been negligent in relation to the violation of the General Data Protection Regulation that has been established. All conditions for imposing a penalty on Sportadmin are thus met. The Lime Group’s annual turnover shall form the basis for calculating the penalty. The following is stated in Sportadmin’s annual report for 2024. On 9 January 2024, Lime Technologies Sweden AB (Lime Sweden) signed an agreement to acquire the shares in Sportadmin. The first part of the acquisition concerned 85 percent of the shares and votes,

and was completed on 9 January 2024. The remaining 15 percent of the shares will be acquired
in the third quarter of 2027. Sportadmin and Lime Sweden are part of the Lime
Technologies Group (Lime Group), the parent company of which is Lime Technologies AB

(publ) (Lime).

Lime owns 100 percent of the shares in Lime Sweden. According to the Akzo principle,

there is therefore a presumption, which has not been rebutted in the case, that Lime exercises
decisive influence over Lime Sweden’s behaviour. The current presumption is not
applicable to the relationship between Lime Sweden and Sportadmin. IMY

however notes that Lime Sweden’s significant shareholding of 85 percent in
Sportadmin, together with the agreement that a comprehensive acquisition will take place within
the foreseeable future, constitute circumstances that should be given great importance when assessing

whether Lime Sweden exercised decisive influence
over Sportadmin at the time of the infringement. In addition, the following circumstances are also taken into account, which in IMY’s
opinion indicate that Lime, Lime Sweden and Sportadmin should be considered as one

economic unit.

In Lime’s annual report for 2024, Sportadmin is referred to throughout as “Lime

Sportadmin”. Furthermore, the purchase of Sportadmin is highlighted as a way to strengthen Lime’s
product portfolio and enable local growth potential and long-term
internationalization, where Lime Sportadmin’s product offering is expected to contribute to both
growth and profitability for the Group’s results. The annual report also states that

the internationalization of Sportadmin has begun through the acquisition of a Dutch
company, in which Sportadmin owns 100 percent of the shares. It is also stated that the group
continues to have an active Mergers and Acquisitions Agenda for Sportadmin’s further

internationalization. The annual report also states that Lime, in connection with the acquisition
of Sportadmin, added member organizations as a fifth focus industry, where
Lime has for a long time strengthened its position in several markets among sports associations

and other types of member companies. It is further stated that since Sportadmin became part of
the Lime group, the group has continued to develop Sportadmin’s platform with a focus
on user-friendliness, integrations and scalability. IMY believes that these statements

provide support for the existence of such common plans and economic goals within
the group that the companies together strive towards, which constitute additional factors that
indicate that the companies in question constitute an economic unit.

Sportadmin’s and Lime Sweden’s annual reports for 2024 show that two
of five board members held management and board positions within both Sportadmin

and Lime Sweden at the time of the breach. Furthermore, it is clear from the LimesIntegritetskyddsmyndigheten Register number: IMY-2025-7801 15(18)

Date: 2026-01-26

annual report for 2024 that four of the board members of Sportadmin were also part of
the group management and the extended management team of Lime, one of whom in his capacity as

CEO of the Lime Group. It can therefore be stated that the same
persons held key positions in the management of several of the companies in question at the same time.

Furthermore, Sportadmin’s personal data policy states that since Sportadmin is part of the Lime
group, Lime Sweden, which handles the group’s main
administrative functions, also processes the personal data of the data subjects as joint
controllers with Sportadmin. Sportadmin’s account of
the personal data incident also shows that Lime Sweden’s general counsel has acted as
Sportadmin’s legal representative in the legal team that was put together in connection with
the incident. It also shows that the Lime group’s internal expertise has been used in connection
with the implementation of technical and organizational measures following
the personal data incident. Sportadmin has also stated that since 2024 the company has
had
access to documented procedures for code changes developed by the Lime group
to support its work with the security aspect of the development process. According

to Sportadmin, the company has worked to implement these
documents in its operations since the acquisition. IMY assesses that these circumstances provide support for the fact that

there are clear organizational links, including in terms of personnel and
the application of instructions, between the companies concerned.

In an overall assessment of the above economic, legal and organizational
links between the companies, IMY assesses that these should be regarded as an

economic unit that constitutes an undertaking within the meaning of Articles 101 and
102 of the TFEU. The calculation of the sanction fee shall therefore be made based on the Lime
24
Group’s annual turnover for the year 2024, which was approximately SEK 685,700,000. Two
percent of the Lime Group’s annual turnover for the year 2024 is therefore SEK 13,714,000.
Since this amount is lower than the static maximum amount specified in Article 83(4) of

the GDPR, the maximum penalty that can be imposed in the case
is EUR 10 million.

The infringement is of high seriousness

When assessing the seriousness of the infringement, its
nature, severity and duration shall be taken into account, among other things. The EDPB guidelines state that
the severity is divided into low, medium or high severity.25

Sportadmin has had a far-reaching obligation to protect the personal data

processed in the company’s services, which are used by a large number of sports clubs throughout
Sweden. The deficiencies in the protection of personal data have been of

fundamental nature and have led to the possibility of unauthorised access to the data of over two million
people. The majority of the personal data has involved children, who, due to
their vulnerability, should be given particularly strong protection for their personal data.

The breach has also included a large amount of data about each person, which has increased the risks to privacy. The data in question has also included sensitive personal data about health and other data of a privacy-sensitive nature in the form of personal identification numbers and protected personal data. The breach has also concerned the central processing of personal data in Sportadmin’s core business, where the company can be expected to have good conditions to take appropriate security measures in 24If the company is subject to an obligation to prepare consolidated accounts, which Lime does, it is the consolidated accounts of the group’s parent company that are relevant to reflect the company’s total turnover, see EDPB Guidelines 04/2022, p. 130 and the judgment of the Court of Justice of the European Union of 30 May 2013, Groupe Gascogne SA v Commission, C-58/12P, EU:C:2013:770, p. 54–56. 25See EDPB Guidelines 04/2022, p. 60.
26See EDPB Guidelines 04/2022, p. 58.Integrity Protection Authority Case number: IMY-2025-7801 16(18)

Date: 2026-01-26

relation to the identified risks. This means that the breach should be considered
27
more serious than if this had not been the case.

The shortcomings in the protection of personal data have led to the threat actor being able to access
and then publish personal data from the services on the Darknet. IMY
notes that unauthorised access to the type of personal data processed in

the services entails a high risk of harm to the data subjects. This is particularly
considering that the European Court of Justice has stated that damage may arise for data subjects already
in the event of a loss of control over their own personal data, even if there has been no
concrete misuse of the data in question. Sportadmin’s deficient actions have
thus, according to IMY, had a major impact on the rights and freedoms of the data subjects.
The assessment of the seriousness of the infringement is also affected by factors such as duration and,
depending on the circumstances of the individual case, the degree of negligence in
29
relation to the deficiencies found. Sportadmin has for several years
identified
increased risks for such SQL injections that are likely to have caused the current
personal data incident. This means that Sportadmin has for a long period
failed to take sufficient security measures to prevent and detect the current type
of data breach, despite the fact that the company has been aware of the risks
that such deficient protection entailed throughout this period. IMY notes that the company has decided to wait to take several appropriate measures to strengthen protection against SQL

injections and other data breaches, even though the measures were necessary to ensure adequate protection. The investigation shows that the company had the ability to

carry out such measures in a short time after the personal data incident. Against this

background, and taking into account the scope and nature of the processing, IMY assesses

that Sportadmin has demonstrated such a high degree of negligence that it should be considered
in a more stringent direction.

With reference to the above, IMY assesses that the current violation is of
high seriousness.

Mitigating and aggravating factors

When assessing the size of the penalty, the aggravating

and mitigating factors specified in Article 83(2) of the Data Protection Regulation shall also be taken into account.

The investigation shows that Sportadmin has taken several technical and organizational

measures after the incident, among other things, with the aim of protecting the data subjects’
personal data, reducing the impact on the data subjects and strengthening IT security

in the long term. IMY notes that the measures taken largely encompass
things that should have been taken even before the incident occurred in order to achieve an
appropriate level of security. The measures taken cannot be considered to go beyond what

can be expected from Sportadmin in the current case. IMY further assesses that it has not
emerged that the measures taken after the breach have mitigated the damage to the data subjects to such an extent that these should be considered mitigating factors. 30

27
28See EDPB Guidelines 04/2022, p. 53.
See the judgments of the Court of Justice of the European Union of 14 December 2023, Natsionalna agentsia za prihodite, C-340/21, EU:C:2023:986,
29 82 and of 4 October 2024, Agentsia po vpisvaniyata, C-200/23, EU:C:2024:827, p. 145.
See the EDPB Guidelines 04/2022, p. 56. As is clear from the referenced paragraph in the Guidelines, and the Court of Appeal in
Stockholm’s judgment of 16 December 2022 in case 7837-21, there is, however, no support for assessing the seriousness of an
infringement as being reduced as a result of it not having been committed intentionally in the manner argued for by Sportadmin.
30See EDPB guidelines 04/2022, p. 74.Integritetsskyddsmyndigheten Filariennummer: IMY-2025-7801 17(18)
Date: 2026-01-26

The fact that Sportadmin has reported its own personal data incident and

cooperated with IMY in the investigation of the incident to the extent that can

be expected does not affect the size of the sanction fee in an increasing or decreasing direction.31

However, IMY considers as mitigating when assessing the size of the sanction fee
that Sportadmin has taken an active and coordinating role to enable

all associations affected by the personal data incident to fulfil their
obligations to submit incident reports to IMY in a timely manner. Sportadmin has
also served as a central point of contact between IMY, the company and the associations and

assisted the associations in providing information about the incident to affected data subjects in
order to, among other things, make it easier for these individuals to take precautionary measures to

protect their personal data.

IMY assesses that there are no aggravating or mitigating measures that

affect the penalty fee.

Amount of the penalty fee
IMY determines, based on an overall assessment, that Sportadmin shall pay an
administrative penalty fee of SEK 6,000,000. In determining

the amount of the penalty fee, the high seriousness of the violation and the Lime
Group’s turnover have been taken into account. IMY has, as a mitigating circumstance, taken into account
Sportadmin’s actions in connection with the incident but also taken into account that

the violation occurred within the framework of Sportadmin’s operations and not in other parts of
the group. In summary, IMY considers that the sanction fee is effective,

proportionate and dissuasive.

__________________________

This decision has been made by Director General Eric Leijonram after a presentation by

Departmental Legal Officer Maja Welander. In the final processing,

Legal Director David Törngren, Unit Head Christelle Bourquin, Advisor Sara
Ahmed, Legal Officer Viktor Johnsson and IT and Information Security Specialist

Johnny Gordon Tornesjö have also participated.

Eric Leijonram

Appendix

Information on payment of the sanction fee.

How to appeal

If you wish to appeal the decision, you should write to IMY. Indicate in the letter which decision you
are appealing and the change you are requesting. The appeal must be received by IMY

within three weeks of the date you received the decision. However, if you are a party representing
the public, the appeal must be received within three weeks of the date on which

31See EDPB Guidelines 04/2022, p. 95–98.

32The EDPB Guidelines 04/2022, p. 63–69, explain how a company’s annual turnover can affect a calculation of
the size of the penalty fee based on the static amount of EUR 10,000,000.Integrity Protection Authority Case number: IMY-2025-7801 18(18)
Date: 2026-01-26

the decision was announced. If the appeal has been received in good time, IMY will forward it
to the Administrative Court in Stockholm for review.

You can email the appeal to IMY if it does not contain any privacy-sensitive
personal data or information that may be subject to confidentiality. The authority’s

contact details are provided on the first page of the decision.
</pre>

EWHC – KB-2025-003673

ANSPDCP (Romania) – 19.01.2026