GDPR Online retail

[pricklyegg]

Wondering if there is anyone out there with a decent understand of GDPR in relation to my query.
Basically I have a stand alone online retail shop and an accompanying Ebay shop. I do quite well through these businesses, but I am basically a sole trader, so not mega turnover.

Via Ebay platform I sold an order and sent it out to customer (A). Unfortunately I had accidently enclosed another customer (B's) order with customer (A's) - it was in a sealed envelope addressed to customer (B). Hope I have explained that well

I'm not sure how I managed this feat, but hey I'm human and occasionally make mistakes.

Lovely customer (A) contacts me to tell me what I have done and offers to forward the order on. I reimburse customer (A's) postage and contact customer (B) to explain situation and she's seems happy enough with arrangement.

Few days later customer (B) contacts me to inform me that I have breeched GDPR laws, how dare I share her information with a stranger and that she wants full refund etc.. 99% of my customers are lovely, so this one has thrown me a bit.

The order is on its way to customer B and is of quite high value and in as much as I can appreciate Customer b's concerns, I can see this as being no different to a postman delivering an envelope to the wrong address and the recipient forwarding it on to the correct addressee. So I am loathe to just refund.

When I have tried to look up online the guidelines it saying that I need to report any GDPR breeches to the data controller and I can't find much information on this kind of scenario.

Can anyone have any experience of something similar, or good knowledge of GDPR regs?

I don't know the legal ins and outs (my experience with GDPR is advising small businesses with compliance re record keeping and tech systems) but I would think that yes, it would count as a breach. If the person came back to you with, hey, no problem, then no problem for you. But the fact that they're quoting GDPR means they know they didn't consent to you sharing their personal data in that way (albeit by mistake). It does sound like they're trying it on (getting a free order? Nice!) but they're right about the breach.

As far as reporting it to the Data Controller goes, assuming you're a one woman band, then that's you (the DC is whoever is responsible for GDPR within a business or other organisation.)

What to do next? According to the info on this article www.jaluch.co.uk/hr-blast/gdpr-data-breaches-report/
your situation has been contained and it all sound under control which means no need to report to the ICO but you do need to document the incident and justify it in case it is ever comes up again.

In the meantime you should make sure you've audited your business to make sure you are compliant with policies in place for protecting customer data and handling data breaches.

As far as the refund goes, I guess it's a decision to make re pissing off a customer even more. You cocked up, unfortunately. Could you offer a more reasonable partial refund to at least you cover costs?

You have breached. You should have got them to return to you but the act of sending to the wrong place is the breach.

I work in this area and it is a breach, but not a serious one. I don't think person B has suffered any loss or likelihood of harm as a result so the only action needed is an apology and you should make sure not to do the same thing again.