Is this a breach of GDPR?

[GDPR]

Not necessarily an AIBU, I’m just posting here for traffic!

I recently moved into a new private rental within a large block of flats. Some weeks ago I found out that there needs to be work carried out on the building and everyone who lives within a certain side of the building will have a surveyor who needs access to the flats.

Today I received an email from a member of the Tenants Association regarding the surveyors availability and instead of sending the email via BCC. He’s CC’d at least 50 tenants all into one email. That’s 50 strangers (yes we live in the same building but do we need access to each other’s email addresses without consent? I don’t think so) whose personal data have been shared just like that.

Some people have already replied asking why their email address has been shared with others and I’m wondering the same thing. I’m sure people may think, ‘well it’s hardly the end of the world if people have your email address’ but I don’t think other tenants should have access to it in the first place. Is this a breach of GDPR? Do organisations like a Tenants Association Group need to protect people’s data the same way that larger businesses do?

I’m not going to do anything about it but I just wondered whether they’re in the wrong or not tbh

It’s not really a big deal though and I struggle to see why people are making such a big issue. It’s not even clearly a breach and certainly the ICO would never take action over something like this

I've been a volunteer for several charities and have inadvertently used CC instead of BCC for mass mailings several times, felt mortified when I realised jad sent an immediate apology asking everyone to delete the email with the CC's. This man is behaving like an idiot in not acknowledging his mistake, if it was one; or not reading up about GDPR if he did it intentionally. However, most likely nobody will come to harm over having their email address shared with fellow tenants so probably best try to forget it.

Absolutely

The Foreign Office used CC to email Afghan translaters fleeing Afghanistan

ICO fines Ministry of Defence for Afghan evacuation data breach | ICO

On 20 September 2021, the MoD sent an email to a distribution list of Afghan nationals eligible for evacuation using the ‘To’ field, with personal information relating to 245 people being inadvertently disclosed. The email addresses could be seen by all recipients, with 55 people having thumbnail pictures on their email profiles. Two people ‘replied all’ to the entire list of recipients, with one of them providing their location.

They were in a rush

It is a big deal though isn’t it? If you haven’t consented to something yet someone has gone ahead and made a decision on your behalf (whether it was through carelessness or not), then it is a pretty big deal.

I don’t see how anyone has made a big deal out of anything. Those (including myself) that are pretty annoyed, have sent an email back to them making them aware of their mistake. How do you consider that to be a big deal?

Nowhere in any of my posts have I said that I’ll be reporting anything. It’s a waste of my time and simply, I don’t actually care enough to do so. That doesn’t mean that I can’t have a moan about it on Mumsnet

it’s more about the impact than the action

absolutely & the emailer can’t possibly know the impact.

in another example, my Dh was a teacher. Imagine if the parents of one of his students got hold of his personal email address.

It's a breach, but a fairly trivial one in all likelihood (unless someone uses the information nefariously)

The breach itself is pretty trivial. Sending personal data to the wrong recipient is a notifiable breach which the organisation at fault should really report to the ICO itself. If it hasn't that's arguably a bit more serious but I'd still be surprised if the ICO does any more than insist better processes are put in place to prevent this happening again.

No it isn't.

Personal data breaches: a guide | ICO

When a personal data breach has occurred, you need to establish the likelihood of the risk to people’s rights and freedoms. If a risk is likely, you must notify the ICO; if a risk is unlikely, you don’t have to report it. However, if you decide you don’t need to report the breach, you need to be able to justify this decision, so you should document it.