Business just emailed me their entire mailing list

[PickyEaters]

Isn't this a breach of data protection or something?

I received a marketing email from a local cafe/workspace. All the recipients (including me) are listed in the "To" field. I would say around 400 email addresses.

I'm annoyed as I'm now expecting a deluge of spam, phishing attempts etc. Should I complain to them, or just forget about it?

It's honestly not a big deal. The ICO would take zero interest in this type of thing. They are only interested in breaches whrte there is potential for significant harm to be caused to the data subject. The release of e-mail addresses in relation to general marketing wouldn't fall under that.

I have informed them and received a reply saying "Thank you for notifying us. This was an error and we are looking to rectify it".

There have been some really bad incidents with not using BCC

The Foreign Office emailed Afghan interpreters without using BCC
A London hospital emailed HIV patients with using BCC

I would tell them - and they decide whether it meets their threshold for reporting to the ICO. I think it does as it's a lot of data although it's not that personal. Unlike the other examples.

So you're sending emails and personal data to the USA then?

www.thorntons-law.co.uk/knowledge/gdpr-violation-for-german-company-using-mailchimp-for-marketing

You think it meets the threshold of reportability based on what professional knowledge or experience?

The other examples you quote are very different situations, where people’s medical data was disclosed and/or lives potentially put at risk by strangers being able to identify them. There’s no such risk in this scenario, they just happen to be frequenters of the same coffee shop 🙄

But of course, everyone thinks they’re an expert in GDPR…

yes that’s definitely a data breach. I’d reply and let them know, sure they do already but they should follow their data breach policy

In terms of GDPR Germany takes a very hard line.

People saying it's just email addresses. It's a bit like someone putting your phone number on a public toilet wall. I don't want to be contactable by people I haven't given my email too.

Report it to the Information commissioner's Office (ICO) as well. The business owners won't do anything if you just report it to them.

ico.org.uk/for-organisations/report-a-breach/personal-data-breach-assessment/
ec.europa.eu/newsroom/article29/items/612052

A breach can potentially have a range of significant adverse effects on individuals, which can result in

physical, material, or non-material damage. The GDPR explains that this can include loss of control over their personal data, limitation of their rights, discrimination, identity theft or fraud, financial loss,

unauthorised reversal of pseudonymisation, damage to reputation, and loss of confidentiality of

personal data protected by professional secrecy. It can also include any other significant economic or social disadvantage to those individuals17
.
Accordingly, the GDPR requires the controller to notify a breach to the competent supervisory authority, unless it is unlikely to result in a risk of such adverse effects taking place. Where there is a likely high risk of these adverse effects occurring, the GDPR requires the controller to communicate the breach to the affected individuals as soon as is reasonably feasible

Some types of personal data may seem at first relatively innocuous, however, what that data may reveal about the affected individual should be carefully considered. A list of customers accepting regular deliveries may not be particularly sensitive, but the same data about customers who have

requested that their deliveries be stopped while on holiday would be useful information to criminals.
.
In the examples:

. Personal data of a large number of students are mistakenly sent to the wrong mailing list with 1000+ recipients.

Yes, report to supervisory authority.
Yes, report to individuals depending on the scope and type of personal data
involved and the severity of possible consequences

. A direct marketing e-mail is sent to recipients in the “to:” or “cc:” fields, thereby
enabling each recipient to see the email address of other recipients.

Yes, notifying the supervisory authority may be obligatory if a large number of individuals are affected, if sensitive data are revealed (e.g. a mailing list of a psychotherapist) or if other factors present high risks (e.g. the mail contains the
initial passwords)

Yes, report to individuals depending on the scope and type of personal data
involved and the severity of possible consequences.
Notification may not be necessary if no sensitive data is revealed and if
only a minor number of email addresses are revealed

So - a large volume of email addresses of local people have been revealed. Which is the last example.

A psychotherapist list is quite different to a local cafe though. There's no implication from being on a cafe mailing list.

I do think we need to apply some common sense before we get angry about what amounts to nothing!

A psychotherapist list is quite different to a local cafe though. There's no implication from being on a cafe mailing list

It's the large number though.

I agree that there is limited risk involved. OTOH, it's a large number of local email addresses which could have implications.

No need to quote ICO guidance at me, I read it and train people to understand it on a daily basis.

And FWIW, the volume here is not large, objectively speaking. The content of the emails isn’t sensitive. This is a non-event.

OP said 400. Not a large number- you've quoted 1000's.

Its just not important enough for all this fuss!

It's also examples from the EU Article 29 - reporting a data breach.

Correct - it is 400 email addresses. Is it large to report? Or insignificant? Are there implications to the breach.

I take it your advice would be not to report it, but to document the breach, document your decision not to report to the ICO and your reasons why, and also create an action plan to ensure that it didn't happen again and that appropriate technical solutions and training are put in to reduce the chance of a repeat.

Just in case someone whose email was on the list and that person complained to the ICO who then came and asked you what you decided to do when you were notified of the breach.

If people are interested, these are the self reported data breaches data sets

ico.org.uk/about-the-ico/our-information/complaints-and-concerns-data-sets/self-reported-personal-data-breach-cases/

And an interactive dashboard

Emailing the wrong person is 17% and BCC is 3% of reported incidents

Email is great but easy to get wrong - especially if in a rush and not concentrating. It can also lead to some harmful mistakes

Had similar where everyone on a school tour got an email with them visible in the to field. I wrote back to tell them and advised better training. They notified everyone, and hopefully it won't happen again because we really like the school.