Active discussions

Meet the Other Phone. Protection built in.

Meet the Other Phone.
Protection built in.

Buy now

Please or to access all these features

Talk
Work

Chat with other users about all things related to working life on our Work forum.

Original poster

Employer of 2 years ago and GDPR breach

17 replies

Igloo71 · 24/01/2022 18:14

I don’t know if I should just laugh this off or be utterly fuming.

I received an email to my personal email address recently from my ex employer. It clearly wasn’t intended for me (similar circumstances as meant for Louise but I’m Louisa) and contained private company financial data. It was sent by one of the senior leadership team who heads up GDPR. I opened the document because I thought it was related to my pension. So obviously GDPR has been breached in relation to the document, but what about my personal data? Surely my email address should be with HR only?

I haven’t got back to anyone yet…..

OP posts:
TragicMuse · 24/01/2022 18:40

It's two different things here:

Confidential company financial data isn't necessarily a GDPR issue if it doesn't contain personal data of identifiable people. So if it's just business data that's not a personal data breach, but they might not want to have that info out in the world.

In relation to your personal email address that is likely to be a breach of the principles and I'd advise contacting their data protection person/team.

You can request that your data is erased, they might need it for post-employment purposes but they'll have to explain that, if that is the case.

You can request that your data isn't used in this way though, so even if they need to retain the data they can't actually use it.

The ICO website is pretty helpful too.

prh47bridge · 24/01/2022 18:42

If the document contains just company financial detail, that is not a GDPR breach. It is only a breach if it contains personal information.

The sender should only have access to your personal email address if one of the justifications under GDPR applies. If they don't, the use of your personal email address is a breach of GDPR. However, the ICO won't be interested in a single misdirected email.

Original poster
Igloo71 · 24/01/2022 18:44

Thank you @TragicMuse for your helpful response. I don’t want to go in all guns blazing but yes, I’d only expect my personal email to be with HR, not with others. It’s very confusing.

OP posts:
Original poster
Igloo71 · 24/01/2022 18:46

@prh47bridge thank you. I’ve no intention of reporting it, just stunned my personal email is on the system in some way. And wondering how many people have access to it.

OP posts:
prh47bridge · 24/01/2022 18:55

Did the individual concerned ever use your email address before? If so, it might simply be stored in his email client (Outlook or whatever) as an autocomplete address. If that is the case, he will be offered your email address as a possible once he has typed the first few characters.

Original poster
Igloo71 · 24/01/2022 19:15

Yes, I think that is the case. I checked back and I sent a sick note nearly 3 years ago. I guess I would just assume IT would do some kind of clear down every so often.

OP posts:
Original poster
Igloo71 · 24/01/2022 19:16

I assume it’s not a GDPR then in that case?

OP posts:
prh47bridge · 24/01/2022 21:19

Arguable either way. He could delete your email from the autocomplete list and probably should have, but many people wouldn't know how to do that or even think that they should. Possibly a breach but about as low level as it is possible to get.

Original poster
Igloo71 · 24/01/2022 21:37

Thank you. Yes it is low level and hence why I’ve not done anything about it. My gut was that he should have deleted it and I think rather than challenge him, I would prefer just to block further emails and ignore so I’m not placed in this situation again.

OP posts:
LittleBearPad · 24/01/2022 21:39

I’d reply and say you think the email has gone astray as you no longer work for the company

LittleBearPad · 24/01/2022 21:39

You’ll make your point.

I don’t know why you’d be fuming

user1471504747 · 24/01/2022 21:43

It sounds like there’s some bad blood between you and ex employer and you’re looking for something to jump on.

At most reply to say it’s not meant for you. I would probably just delete and move on.

Original poster
Igloo71 · 24/01/2022 22:15

@user1471504747 not at all. I didn’t say I WAS fuming, I wondered if I should be. Where on earth are you reading that I was looking to jump on something? I was asking if my data was being stored in breach of GDPR. It seems that potentially and at a low level it is. It’s nearly a week since the email arrived, if I was jumping on it, I believe I would have done by now.

OP posts:
BeckyWithTheGoodHair010101 · 26/01/2022 07:36

If the email was sent to a list of recipients of which you are one, and all other parties have visibility of your email personal email address, then it is a GDPR breach, individuals should use the bcc function when including peoples personal addresses so that they aren't visible to others.

The company will have to report this as a small breach, so just reply and let them know that your email address has accidentally been compromised and they should report to the ICO.

MissLucyEyelesbarrow · 26/01/2022 07:43

On the question of retaining your personal email address, they should have a data retention policy about how long they retain any data about you. There aren't any set rules, in most cases, but the retention has to be reasonable under GDPR (i.e. proportionate, serving a purpose etc). You've only been gone two years, though, and there are lots of reasons why a former employer might need to contact you at this stage, so it's not unreasonable for them still to have it.

Totalwasteofpaper · 26/01/2022 07:44

@prh47bridge

Did the individual concerned ever use your email address before? If so, it might simply be stored in his email client (Outlook or whatever) as an autocomplete address. If that is the case, he will be offered your email address as a possible once he has typed the first few characters.
I would assume this. Then selete it or reply with "wrong email address!" And never think of it again

Surprised at the head space you are giving this. Did you end on terrible terms or something?

TragicMuse · 27/01/2022 18:42

@BeckyWithTheGoodHair010101

If the email was sent to a list of recipients of which you are one, and all other parties have visibility of your email personal email address, then it is a GDPR breach, individuals should use the bcc function when including peoples personal addresses so that they aren't visible to others.

The company will have to report this as a small breach, so just reply and let them know that your email address has accidentally been compromised and they should report to the ICO.

FWIW This is literally my day job and I don't think it meets the threshold for notification to the ICO.

OP, what I would do is:
Let them know they've made this error
Ask them to delete your email address OR to justify why they need to retain it
Restrict processing to contact for post-employment purposes only

And leave it there. It's not major but you don't want them to keep on doing this and they need to know that they've made this mistake so they can put it right.

That's all.

New posts on this thread. Refresh page