GDPR - Breaking of Confidentiality

I have been in dispute with a care company over an invoice dating from late 2018. Basically the company was trying to charge my mother, who suffers from *** for appointments where they didn't turn up or left early to get to other appointments. I asked for some information under the "Freedom of Information Act 2000" several months back which the care company did not supply. Recently a Debt Recovery company contacted me reference the unpaid invoice. We have been in communication for a several weeks now. This week I received an email from the Debt Recovery company attached to the email was some of the information that I had requested from the care company. The attachments were a copy of my mothers contract with the care company, a copy of her Individual Care and Support Agreement and a copy of my Power of Attorney for my mothers finances.

Are the care company in breach of GDPR for sharing this information with a third party i.e. the Debt Recovery company?

First, you should verify if any privacy notice was given to your mother and if she signed it. She may have given consent to data processing and data transfer.

In any case, Article 6 GDPR paragraph 1 (b), (f) states that data processing (without consent) is lawful when it is necessary to perform a contract between the controller and the data subject or for the purposes of a legitimate interest of the controller or a third party. Therefore, transferring data to collect money for an unpaid invoice is considered lawful.

You should verify with a lawyer if the Member State where you live introduced some internal regulation over data processing in debt collecting procedure which limits data transferring in some way. 

What can I do about this breach of confidentiality?

It can be considered a breach of confidentiality only if your mother signed a privacy notice where it was stated that personal data would not transfer to any third party. Otherwise, it can be considered lawful.

Can I take the Care Company to court over this matter? As I am really not happy with them over this!

I can understand that you are not happy, you should ask for advice from a lawyer in your own country and verify if there is any chance to defend from their request on the basis of the care service provided. 

You can find more information about data processing here:

• Article 6 GDPR: https://advisera.com/eugdpracademy/gdpr/lawfulness-of-processing/
• Understanding 6 key GDPR principles: https://advisera.com/eugdpracademy/knowledgebase/understanding-6-key-gdpr-principles/
• Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
• Everything you need to know about the GDPR Privacy Notice: https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/

You may also consider enrolling in this online EU GDPR Foundations Course:
EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//