This is a GDPR breach isn't it?

[Curiosity101]

We're remortgaging our house as we're at the end of our fixed term.

We decided to go through a broker (which we're now regretting). The broker applied to the bank for our mortgage of choice, bank instructed their solicitors. All pretty normal so far.

The problem is that the broker's admin team put my email address in incorrectly. So they gave the wrong email to the bank and the bank gave the wrong email to the solicitors. The solicitors have now sent 3 emails to the wrong email address. 2 of which were after we'd informed the broker, bank and solicitors of the mistake.

There is nothing too bad on the emails so far, but it does have mine and DHs full names, address and that we're remortgaging with a specific bank. (I know this cause DHs email is correct and we're meant to both be being sent the same documents).

We're really struggling to get them to update the email address to the correct one. The comeback from the bank and solicitors has been that they can just post us out the documents if the email is incorrect.

AIBU to think it's not ok to knowingly leave that email incorrect if they're sending (un encrypted) documents to it with my details on? Surely that comes under GDPR and they should be keen to get it fixed? Whilst the details they've sent so far haven't been incredibly sensitive, I've no idea what else they might send to that email or if anyone is looking at it on the other side so it's bothering me. They also sent details to that email to set up an account with the online mortgage portal and I do wonder if they'll potentially send our mortgage account details there once the process is complete.

We've informed the brokers who have supposedly told the bank and solicitors. We also tried approaching the bank directly and they said they'd only deal with the brokers, same with the solicitors who will only deal with the bank... Which does make sense given who instructed who at each point of the process.

If IANBU then who would you apply pressure to in the hopes to get it fixed quickly? Currently it's been around 2 weeks of us trying in vain to get it updated.

Under Data Protection regs the information they hold must be accurate, so yes they need to update it ASAP

Yes, it is a GDPR breach. If this happened where I work , we would have to make an internal breach report to our Information officer who would have to decide if the breach was serious enough to be reported to the ICO.

Even though you aren’t their client ( the bank is) it may be worth looking on their website as they should have details on who their Complaints partner is and contacting them

GDPR is only for EU countries but yes, it is very sloppy

Sorry, I assumed you're in the UK which may have been a complete goof on my part

If they haven't had a response from that email address saying it isn't valid then they've no idea who has accessed it. Hopefully they've got one saying delivery has failed so they can reassure you.

@Dutch1e

GDPR is only for EU countries but yes, it is very sloppy

The UK has its own GDPR

@Dutch1e

GDPR is only for EU countries but yes, it is very sloppy

I thought we had UK GDPR now

@Dutch1e

GDPR is only for EU countries but yes, it is very sloppy

Do you mean it doesn't apply to the UK post-Brexit? It effectively does. We adopted the EU's GDPR rules and called it UK GDPR.

(sorry if I misunderstood you, it wasn't clear)

Ah, cross posted. Always late to the party!

TheRosesOfSuccess Cross posted

Anyyway OP - if I were you I'd go nuclear at them. This is entirely unacceptable. If you are in the UK, you can look up the ICO complaints procedure. At the very least I'd be wanting to speak urgently to the bank's data controller and put a rocket up their backside.

Thanks all.

We'll try the solicitors website for a complaints section and see if we can get it updated via there. Will also contact the brokers again and see if we can get them to get it sorted.

And just to clarify, yes I'm in the UK 👍

GDPR breach. If they can’t update the email address they will have to post future docs to your home address.

@2021DNA That was their initial suggestion, but they will still send all the details to the incorrect email address which didn't sit right with me.

They've been told it's incorrect so that's a stupid thing to do!

No no. This is ridiculous and needs them to sort it out NOW. The broker's admin team need to be doing the legwork but this is of sufficient concern that i'd be also chasing it directly with each of the organisations myself. Telling them that your data is being breached by this GDPR breach and you expect it to be handled as a data breach.

It is a GDPR breach. It is also quite separately a breach of the solicitor’s duties towards you (confidentiality, legal privilege etc) and to continue sending confidential documents to the wrong address after you’ve asked them to correct this is negligent. Tell the solicitors that in writing and tell them that all rights are reserved in respect of their continued failures to comply with their client confidentiality obligations and the GDPR. Ask who their client complains manager is for negligence issues. This should wake them up a bit.

The bank will probably have a Data Protection Officer - check their website for a Privacy Notice. Complain to them as well. They are processing incorrect data about you it is absolutely not ok for them to say you need to speak to your solicitors.

I would also consider informing the Information Commission - the data protection regulator if this doesn’t get resolved asap

GDPR applies to U.K.
Report it as a breach to regulatory body as you are unhappy with their response

It's a big no, to breach someone's data especially financial or health data, and after company being told, fir company not to report it as a data breach, You will get a full reaction. Look up how to complain and who to

www.gov.uk/data-protection/make-a-complaint

Have you tried setting up an email with the wrong address? It might not belong to anyone.

If your email is [email protected] and they're sending stuff to [email protected] then go and see if that email is taken by trying to use it as a new email.

At least then, you'll know if someone has it. I doubt they would have told you if they had bounce backs since they seem pretty crao all round.

TheRosesOfSuccess and PurplyBlue you're quite right. I read "GDPR" and stupidly didn't make the leap to the UK recreating EU rules. I stand corrected.

@Fiddliestofsticks That's one of the first things we checked and the domain is registered so we expect the emails are ending up in an inbox somewhere.
My email is along the lines of: [email protected]
The mistake is: [email protected]

It's really easy to see how they've made the mistake and I wouldn't mind if they'd not all slopey shouldered the mistake and then suggested they could just post out the documents and leave it as it is.