Expert Advice Community

Guest

Possible GDPR breach

  Quote
Guest
Guest user Created:   Feb 01, 2021 Last commented:   Feb 04, 2021

Possible GDPR breach

I asked a member of my voluntary organisation to email me her complaint about the conduct of other members of the organisation. She then sent me a file which contained potentially libellous allegations against a non-member. I forwarded the file to an another officer to be considered. In the meantime, the complainant has circulated that file without authorisation to other members of our organisation. Is the organisation or myself in breach of GDPR security, although I have only circulated the file to one other officer, whose advice was that we are not competent to consider the case of the person named in the file in connection with criminal misconduct (without any supportive evidence). Or is it only the complainant who may be guilty of a breach, for circulating her own personal and original copy of the file to others?

0 0

Assign topic to the user

Assign

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Alessandra Nisticò Feb 03, 2021

Article 4 paragraph 12 GDPR defines the data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;”

Now, the controller of data is the organization that should adopt organizational security measures to prevent unauthorized disclosure of personal data, by establishing a policy. If your organization does not have an access policy and the email circulated within the organization there is not a proper data breach, though a lack of security happened. Asking for advice to the officer in order how to handle a complaint is not a data breach, because the forwarding is necessary to deal with the complaint while forwarding the email to other members of the organization can be a data breach if the email went out of the organization perimeter. (i.e., someone forwarded to a friend which is not part of the organization).

In case a data breach happened, you should notify the data breach to your national Surveillance Authority or if you are outside the EU to your EU Representative because the email contained information about criminal misconduct which may result in a risk for the rights and freedom of the involved person.

Here you can find some useful resources on how to handle and prevent a data breach:

If you need to understand how to deal with data breach under GDPR, you can consider enrolling in our free online training EU GDPR Foundations Course: https://training.advisera.com/se/eu-gdpr-foundations-course//

Quote
0 0
Guest
Robert Davies Feb 03, 2021

Does the complainant's unauthorised circulation to others of her own original copy of the file make the organisation liable under GDPR? It does not look as though the organisation's own security has been breached in this case. There has been no unauthorised access to the organisation's system containing its own copy of the file received from the complainant.  

Quote
0 0
Expert
Alessandra Nisticò Feb 04, 2021

The company should adopt organizational measures to prevent the unauthorized circulation of the email (is there an access control policy? Is staff trained?) It is not only about technical security measures but only adopting processes and procedures that prevent staff from disclosing sensitive information to a third party. So, in that way, the organization can be considered liable for a data breach.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Feb 01, 2021

Feb 04, 2021

Suggested Topics

Guest user Created:   Dec 23, 2020 EU GDPR
Replies: 3
0 0

Filling templates

Guest user Created:   Jan 18, 2019 EU GDPR
Replies: 1
0 0

Joint Data Controllers