Is this a GDPR breach?

[Iheartmysmart]

I live in a leasehold flat. Had an email today telling me to log in to the management company portal in order to view a message for all residents. When I did, I was horrified to see that I could view everyone’s letter. Full names, addresses and account numbers. Plus names and home addresses of people who own flats but rent them out to tenants.

I have reported it and the letters have been removed from the portal and I can only see mine now. Is this a breach of GDPR? The property manager doesn’t seem that concerned.

I think it probably is. Names of one's fellow residents probably is not a breach but bank details are.

Yes it is. They need to tighten up - a lot. The Estate Agency industry had plenty of GDPR courses on offer for both lettings and sales. (My cousin used to be involved and asked me loads of questions about GDPR). I would see if they have a privacy Policy and also check out the Freeholder's company details and see what they say.

Thanks both. Just to be clear it’s peoples account information for their management fees that’s been disclosed, not their bank details. Still very poor though.

Even if it’s just names and addresses, it’s a breach.

Yes is was breach.

It gave you a list of people who you could ID as being property owning clients of the company
Plus they home address and /or property address.
Plus the unique id for their dealing with the the property managment company.

What controls do the company have around you account if you phone them or send in a letter for a change of address

@AnSolas To be honest I’ve only ever communicated with the Property Manager and it’s always via email so I don’t actually know their procedures.

Well find out asap
Because you now have the potential for a pissed off nutty NDN who now has your account ID to get additional information from the company who have poor DP and dont care about data breaches.

And Iheartmysmart and lhaertmysmart email addresses can look the same to a busy person

Yes.

@AnSolas Thank you for that, I’ll get in touch with the management company tomorrow and find out what their procedures are and what they intend to do about this breach.

Data, such as names, may be used for the purpose for which they are collected. So if a PTA rep. asks parents to sign their kids up for a shared phone list to be sent out to the whole class then that's fine. If your child's name was given to the school as part of school enrollment and then used for other purposes, then my understanding is that that is a breach. It's possible that parents sign a form each year updating contact details etc and that there may be a disclaimer on that 'your childs name may be used in school and publicity documents, sent out to outside agencies unless you specifically require us not to . . . ' or something like that.

'

Oops. Wrong thread!