ICO fines Ticketmaster UK

ICO fines Ticketmaster UK Limited 1.39 million Euros, over chatbot cyber attack.

ICO fines Ticketmaster UK Limited 1.39 million Euros under the GDPR, for failing to prevent chatbot cyber attack.


The ICO has fined Ticketmaster UK in relation to a recent data breach which potentially affected over 9 million customers across the EU. This data breach was orchestrated via a chatbot which the company installed on its online payment page. The company’s failure to protect their customers’ information is a breach of the GDPR. 


In February 2018, several Monzo bank customers reported fraudulent transactions. In addition, the Commonwealth Bank of Australia, Barclaycard, MasterCard and American Express all made reports to the company suggesting fraud. Nine weeks after being alerted, Ticketmaster began monitoring network traffic via its online payment page. The breach began in February 2018, however the penalty which ensued relates to the breach over the period from May 25, 2018, upon the implementation of the new rules under the GDPR.  


This data breach potentially affected millions of customers as their payment information became compromised.


The data breach in question included names, payment card numbers, expiry dates and CVV numbers, potentially affecting 9.4 million of Ticketmaster’s customers across Europe with approximately 1.5 million in the UK. The investigations uncovered that, as a result of the breach, 60,000 payment cards from Barclays Bank customers were subjected to known fraud. An additional 6,000 cards were replaced by Monzo by the bank due to suspected fraudulent use.

The ICO found that there weren’t adequate security measures in place to protect customers’ data.


The ICO’s investigation revealed that Ticketmaster’s decision to include the chat-bot, hosted by a third party, on its online payment page allowed an attacker access to customers’ financial details. Deputy Commissioner, James Dipple-Johnstone said “Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud.” The ICO found that Ticketmaster failed to assess the risks of using a chat-bot on its payment page, to identify and implement appropriate security measures to avoid the risks, and to identify the source of suggested fraudulent activity in a timely manner. The ICO issued Ticketmaster UK Limited with a notice of intent to fine on 7 February 2020, and received written representations in response. 

The ICO fines Ticketmaster UK under the GDPR on behalf of all EU authorities, taking into account the impact of the COVID-19 pandemic.

 Since the breach happened before the UK left the EU, the ICO acted as the lead supervisory authority. The ICO completed the Article 60 GDPR process prior to the issuing of the penalty. This article provides that the lead supervisory authority shall cooperate with the other supervisory authorities concerned in an endeavour to reach consensus. The process included submitting a draft decision to the other supervisory authorities for their opinion and taking their views into consideration.When deciding on a fine, the ICO considered not only affordability, but the economic impact of COVID-19 among other factors.


The ICO statement is available in their website.


Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

First Code of Conduct

First Code of Conduct under the GDPR approved by the Spanish DPA.

The first Code of Conduct under the GDPR has been approved by the Spanish DPA.

The Spanish Agency for Data Protection (AEPD), in enforcing the General Data Protection Regulation and the Data Protection Law and guarantee of digital rights, has approved the first code of conduct based on the provisions of articles 40 and 41 of the GDPR and 38 of the DPA 2018. The Code of Conduct for Data Processing in Advertising Activity has been presented by the Association for the Self-regulation of Commercial Communication (Autocontrol), whose main purpose is the establishment of an out-of-court system to process claims about data protection and advertising, quickly, easily, effectively and free for consumers. 

This first code of conduct under the GDPR approved by the Spanish DPA, governs the processing of personal data for advertising purposes.

The GDPR establishes that the supervisory authorities will promote the development of codes of conduct aimed at contributing to the correct application of the regulation, taking into account the specific characteristics of the different sectors and the specific needs of micro, small and medium-sized enterprises .This code, presented by Autocontrol applies to data processing for advertising purposes carried out by its member entities. This includes sending commercial communications, promotions carried out in order to collect personal data to use for advertising purposes, use of cookies and equivalent technologies for the management of advertising spaces or conducting behavioral advertising, and also profiling for advertising purposes.

Autocontrol, the independent self-regulatory body of the advertising industry in Spain, established in 1995 as a non-profit association, is made up of advertisers, advertising agencies, the media and professional associations, with the objective to work towards responsible advertising. The code recently presented by this organisation will apply to member entities established in Spanish territory or to data processing activities that affect data subjects residing in Spain, as long as the data processing is related to the offer of goods and services in Spain or to the monitoring of their behaviour in Spain. 

The code outlines information to be communicated to data subjects when their personal data is collected.

According to this code, the data subject may exercise the right of access, right to rectification, right to erasure, right to object, right to restriction of processing and, where appropriate, the right to data portability regarding the treatment of the data. The data controller must inform the data subject of the processing of their personal data, providing specific information, outlined in articles 13 and 14 of the GDPR, depending on whether they obtained the data from the concerned party or from a different source. In addition, data controllers must inform the concerned parties about their right to object to the use of their personal data for direct marketing purposes, at the time the data is collected. The use of cookies or similar tools by the data controllers will be subject to the provisions of the Information Society Services Law, which is the national law implementing the ePrivacy Directive, or regulations that replace it. 

According to the code, there will be an Advertising Jury which will act on behalf of the Spanish DPA in matters concerning advertising and marketing. 

Autocontrol has also implemented an extrajudicial resolution system to resolve disputes that arise between its data controllers and their data subjects, due to data processing carried out in advertising. With respect to the functions and powers of the Spanish DPA as supervisory authority, the Advertising Jury will act as a supervisory body of this Code. When the Advertising Jury, in resolving a claim, declares a breach of the code, it will rule on the sanctions that, where appropriate, should be imposed in accordance with the provisions of the regulations.

Annually, the Secretariat of the Advertising Jury will prepare a statistical report for each member entity with the relevant data regarding the respective entity’s activity, including both data related to mediations and the decisions of the Advertising Jury. The Secretariat of the Advertising Jury will also prepare an annual collective statistical report to be presented to the Spanish DPA.

Autocontrol has this Code of Conduct in the section for codes of conduct of its website where it can be downloaded free of charge by any user.

Do you process data for advertising and marketing purposes? Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling personal data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services and also compliance with the Spanish data protection national law including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Guernsey-based law firm

Guernsey-based law firm fined after sharing “highly confidential and sensitive” information.

Guernsey-based law firm fined over 11,000 Euros by the DPA, after sharing “highly confidential and sensitive” information via emails and post.


Trinity Chambers LLP sent private details about an individual and their family via emails and post, the Data Protection Authority (ODPA) found. The Office of the Data Protection Agency recently released a statement containing the details surrounding this case.


An investigation found that due to repeated human error, sensitive information about the data subject and their family was distributed.


Following a complaint made to the Authority under section 67 of the The Data Protection (Bailiwick of Guernsey) Law, 2017, an investigation was conducted under section 68. The complaint related to the alleged unauthorised disclosure of personal data as a result of repeated human error. According to the report, a lack of security had given “unconnected” third parties access to the data. The breach of data by Trinity was the result of “repeated human error”,  the investigation uncovered. It was found that Trinity Chambers LLP sent files via email and in the post including highly confidential and sensitive personal information relating to the complainant and their family without appropriate security. This information was then unwittingly accessed by unconnected third parties who  were totally unaware of the nature or sensitivity of the content.


Guernsey based law firm fined to reflect the gravity of the effect of data breach.


The Bailiwick’s Data Protection Commissioner Emma Martins said the ODPA was “disappointed” by the firm’s response. She went on to say “There is little evidence that the controller in this case engaged in a timely manner with the complaint or appreciated the impact of the breach on the individuals concerned.” She added that the fine aimed to reflect “the serious nature and impact of failing to look after personal data”, and its potentially “significant” impact in a small community.


The Firm was fined 11.2 thousand Euros for failure to safeguard personal data.


While the personal data involved did not constitute special category data as defined in the Law, it was highly sensitive and private for the individuals involved. As a result of the investigation, the Authority determined that Trinity Chambers LLP breached the Law in relation to the unauthorised disclosure of personal data to a third party. The Authority has fined Trinity Chambers LLP £10,000 to reflect the serious nature and impact of failing to look after personal data. The fine also reflects the lack of engagement by the controller and concerns that there has been a lack of appreciation of the potential wider impact of the breach for the individuals affected.


Trinity Chambers law firm has not appealed the decision, according to the ODPA.


Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

ICO provides SAR guidance

ICO provides SAR guidance for organizations receiving requests.

ICO provides SAR guidance to simplify the process for, and give better understanding to organizations receiving subject access requests.


The ICO published information last month, geared at giving guidance to organizations who may receive subject access requests (SARs). As the weight of personal data becomes more apparent to individuals, more people are exercising their right to information on what exactly is happening to their personal data. The right of access, also referred to as subject access, gives individuals the right to obtain a copy of their personal data from you, as well as other additional information. The ICO, having realized how important it is that an organization should be able to deal with subject access requests efficiently and effectively, has launched this guide, which was published in the form of a list of frequently asked questions, can be found here


The initial consultation for this guidance published by the ICO, generated lots of engagement, and received an overwhelmingly positive response.


The process of creating this right of access detailed guidance started back in December 2019, with a consultation which received an overwhelming reaction, comprised of over 350 responses from various organisations. While those responses consisted of mainly positive feedback, there were also requests for examples, explanations and additional content. Based on the feedback, there were some key changes made, and content added to the original version published. 


The ICO provides SAR guidance, complete with situational examples for reference.


This guidance published by the ICO last month includes details on what right of access is, why it is important, and also what specific information an individual is entitled to. The information provided in this guidance also includes direction on who should be handling requests and in what manner requests should be handled, complete with relatable examples, which the individuals in an organisation can follow and apply to their circumstances to gain a better understanding of how things should proceed.


The ICO was able to clarify a few key points raised by organisations during the guidance consultation phase. 


There were a few key points raised for clarification by the organisations regarding their obligations, which the ICO cleared up. For one, stopping the timer on response time, when clarification is needed to provide a response is definitely now allowed. The ICO also clarified what a manifestly excessive request is, and offered guidance on how to navigate dealing with those, including when and how an admin fee may be applied to some requests.

The ICO has further plans to create several resources for business on the topic of SARs.


The ICO has plans on creating a suite of resources. This will include an even more simplified guide for small businesses regarding subject access requests with key information from the general guide which would specifically benefit them. This information is viewed as essential to organisations, to ensure trust from individuals, in the way an organisation handles their personal data, and by extension in the organisation itself.


Do you know how to handle DSARs and the rest of data subjects rights granted by the GDPR? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.