“I’m from Benfica and that makes me proud.” This is how the Sport Lisboa e Benfica anthem begins – and nothing is truer when we talk about sporting passion. But when the topic is personal data protectionpride gives way to concern: Benfica is still not playing at the level required by law.
The topic arose with the alleged contacts of a candidate list for the elections to appeal to the vote, using data from members in the first round of the elections. It was then reported that Benfica had filed a complaint with the National Data Protection Commission (CNPD). My first reaction was simple: Can a club – a legal person – file a complaint for breach of personal data, when it is not the holder of personal data? I’m sure not. Only the holder of the personal data – the partner – has the right to do so.
The perplexity increased when, in the electoral debate, current president Rui Costa stated that Benfica had a “legal obligation to communicate the situation to the CNPD within 72 hours”. He defended the idea as basic and evident. But that would only be true if we were facing a leak of personal datathat is, a security breach that unduly exposes the personal data of partners. Which doesn’t seem to have happened.
What is at stake is not a leak of personal data, resulting from any cyber attack, but a illicit use of data by a competing list – a legally vastly different reality.
Only the leakage of personal data requires CNPD to be notified. A potential misuse, no.
In the second case, the law is clear: The person who has the right to complain is the member whose personal data (mobile number, email, address, name, etc.) were used outside the purpose for which they were collected.
If Benfica is not a victim – it is responsible for the treatment – there is nothing to complain about.
By acting as if there was a data leak, the current management not only assumed non-existent non-complianceas it transferred to the club itself a responsibility that should fall on those who allegedly used the data inappropriately – it is clear that it was not understood who it was or how they did it. But worse, by communicating as it did and by treating the issue as it did, the current management opened the door to sanctions against Benfica itselfwhich would only exist if there had, in fact, been a breach of information systems security.
Between admitting a mistake you didn’t make and ignoring the mistake you should have reportedBenfica took the worst of paths: turned a third-party breach into an internal IT security problem.
Outside the fields, poppies vibrate less and jump due to unacceptable management errors.