I asked a member of my voluntary organisation to email me her complaint about the conduct of other members of the organisation. She then sent me a file which contained potentially libellous allegations against a non-member. I forwarded the file to an another officer to be considered. In the meantime, the complainant has circulated that file without authorisation to other members of our organisation. Is the organisation or myself in breach of GDPR security, although I have only circulated the file to one other officer, whose advice was that we are not competent to consider the case of the person named in the file in connection with criminal misconduct (without any supportive evidence). Or is it only the complainant who may be guilty of a breach, for circulating her own personal and original copy of the file to others?
Assign topic to the user
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Article 4 paragraph 12 GDPR defines the data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;”
Now, the controller of data is the organization that should adopt organizational security measures to prevent unauthorized disclosure of personal data, by establishing a policy. If your organization does not have an access policy and the email circulated within the organization there is not a proper data breach, though a lack of security happened. Asking for advice to the officer in order how to handle a complaint is not a data breach, because the forwarding is necessary to deal with the complaint while forwarding the email to other members of the organization can be a data breach if the email went out of the organization perimeter. (i.e., someone forwarded to a friend which is not part of the organization).
In case a data breach happened, you should notify the data breach to your national Surveillance Authority or if you are outside the EU to your EU Representative because the email contained information about criminal misconduct which may result in a risk for the rights and freedom of the involved person.
Here you can find some useful resources on how to handle and prevent a data breach:
- Small business guide to cyber security: 6 steps against the data breach https://advisera.com/27001academy/blog/2015/02/09/small-business-guide-to-cyber-security-6-steps-against-the-data-breach/
- Assessing the severity of personal data breaches according to GDPR https://info.advisera.com/eugdpracademy/free-download/assessing-the-severity-of-personal-data-breaches-according-to-gdpr
If you need to understand how to deal with data breach under GDPR, you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//
Does the complainant's unauthorised circulation to others of her own original copy of the file make the organisation liable under GDPR? It does not look as though the organisation's own security has been breached in this case. There has been no unauthorised access to the organisation's system containing its own copy of the file received from the complainant.
The company should adopt organizational measures to prevent the unauthorized circulation of the email (is there an access control policy? Is staff trained?) It is not only about technical security measures but only adopting processes and procedures that prevent staff from disclosing sensitive information to a third party. So, in that way, the organization can be considered liable for a data breach.
Comment as guest or Sign in
Feb 04, 2021