What happened?
The client provided the controller with an incorrect email address. As a result, correspondence containing an insurance policy was sent to that address and ended up in the hands of an unauthorized third party. The file with the policy was not password protected, so the recipient was able to view the personal data contained in the document without any restrictions.
Recommendations:
When communicating with clients via email, the controller should be aware of the risk associated, for example, with the client providing an incorrect email address and should take appropriate organizational and technical measures to minimize it, such as:
– Verifying the email addresses provided by clients
– Encrypting files containing personal data before sending them electronically
Note:
A client’s mistake does not release the controller from responsibility for the data protection breach or its consequences.
The reasoning behind these recommendations, as assessed by the authority, is that a personal data breach occurs not only when it results from intentional action but also when it arises from negligence. The fact that the breach resulted from the client’s mistake in providing an incorrect email address does not affect the classification of the event. The unauthorized disclosure of personal data to a third party constitutes a breach of confidentiality.
Is requesting deletion of the email by the unintended recipient a sufficient action by the controller?
No. According to the authority’s position, the request alone does not affect the assessment of the breach. There is no certainty that the recipient did not, prior to deletion, make a copy of the file or record the personal data in another form (e.g. by writing them down). The same applies to any declaration made by the recipient regarding deletion, as the controller has no way of verifying such a statement.
However, making such a request can put the controller in a better light before the President of the Personal Data Protection Office.
Based on the decision regarding:
TUiR WARTA S.A., dated 09.12.2020,
Ref. no.: DKN.5131.5.2020, https://uodo.gov.pl/pl/138/1801