Is this a GDPR Breach?

[Freelancer87]

Hello,

Quick question about GDPR. We accidentally sent a certificate to the wrong person. The name on the envelope and certificate wasn't the person living at that address. No other personal details were included in the envelope. Just a certificate with a name on it.

Is that a breach of GDPR? No personal details were given....just an error with the address.

Thanks for the insight!

 

[Strent12]

If you check out this guide to GDPR https://realtimecrm.co.uk/posts/gdpr-guide/ you'll see that a data subject is defined as someone who can be "directly or indirectly identified by information such as a name, an identification number, location data, an online identifier (such as a username), or their physical, genetic, or other identity. An example would a person named ‘James Sample’."

I'll give you an example where just allowing people to see email addresses they weren't supposed to see got them into trouble.

"An independent inquiry into child sexual abuse was fined £200,000 by the ICO after sending a bulk email that identified possible abuse victims. In this case, an officer sent an email to 90 people involved in a review without using the blind carbon copy (bcc) functionality. This allowed the recipients to see each other's email addresses and identified them as possible victims of child sexual abuse."

To be honest I think you'll be ok but be careful in future.

 

[Freelancer87]

Thanks for the insight on that @Strent12.

 

[ecommerce84]

I’d definitely say no as the person cannot be identified from the name on the certificate unless they happen to have an exceptionally unique name.

 

[paulears]

My solicitor sent me a pile of documents, including one belonging to another client. I know their name, address, how much they are paying for the house and how much the solicitor is charging them. I phoned them up and she said throw it away. It's a clear breach, but practically, it's a mistake and I binned it. The idea behind GDPR is protection of data. Is a certificate with just a name identifiable data? I doubt it.