Arsenal Football Club has discovered that a GDPR breach occurred after the private details of club members were mailed, in error, to other club member when asking them to renew their membership of the football club.
A news article in The Telegraph revealed that when Arsenal issued letters asking members to renew their annual club memberships, some of those letters included pre-filled forms with the private details of total strangers. Those forms containeed names, date of birth, address, telephone numbers, emails and membership numbers. One fan, Richard, had such a letter asking him to renew his gold season ticket for around £1,200.
A representative of Arsenal football club said: “We are well aware of our responsibilities under the GDPR regulations and apologise to the fans who were impacted. We launched an investigation as soon as this was brought to our attention and have established that this was a manual error by a supplier. There is no suggestion this was a system issue.”
The Telegraph investigation revealed that four fans were issued completed forms in error. As a proportion of the overall number of membership renewal forms issued this number, four, represents a minuscule. However even though the figure is small it does not alter the fact that GDPR legislation has been breached.
As GDPR only became enforceable last month, on May 25, the timing of this incident is quite unfortunate. There are many stories about GDPR appearing in the press and the penalties for breaching the European Union legislation are well known. Companies and organization can be sanctioned with monetary penalties as high as 4% of their annual revenue or €20m, whichever figure is higher.