GDPR - Estate Agent email

[AHarvey]

Hi,

So a work colleague recently contacted an estate agent about some local land that was for sale.

The agent, Carl, sent the wrong information and then went on holiday. Another girl sent out the right info to him a week later.

Today Carl emailed him again, an email "Invitation to Submit Initial Offer", then 6.5 hours later to recall the email and state there was a breach of GDPR.

We couldn't figure it out initially when he first received the GDPR email but I noticed that the original email has 133 email addresses CC'd in instead of BCC'd.

He's livid but I've told him not to worry, it's not like it's likely anyone on there is going to hacking his accounts or anything.

Anyway, he wants to know what if any course of action he has, and I want to know what you lot would do in this case?

Me, I couldn't care less about an email address.

 

[GravyMonster]

His primary course of action should be to calm down. What kind of action is he expecting to be open to him? It sounds like he wants to use this as a bargaining chip to get a better deal on the land he's after.

Sure it's a minor inconvenience, but nothing worth worrying about. My first thought would be to not use a luddite company that still uses blanket CC/BCC emails.

 

[Destination]

This is a clear case of calling a duel.
Pistols at dawn, he should call the chap out immediately, force him to name a second, and then purchase a plot form the estate agent for the body to be buried on.

 

[The_Abyss]

It isn’t GDPR, it is the Data Protection Act 2018.

 

[b0rn2sk8]

So its just his email address that has been sent to 132 other people that the estate agent deals with.

If that's the case then nothing, its not like you are going to get any compo or anything. I doubt the agent would be fined either as it isn't a serious breach, if its even a breach. The fines are there to punish the negligence of large multinationals that allow huge amounts of customer data to leak and not silly mistakes. The ICO isn't going to be interested put it that way.

Now if they emailed your financials to all of those 132 people then you would have some recourse.

 

[Iron-man]

I would advise him to move on, not even worth getting worked up over

 

[Raumarik]

e-mail addresses aren't themselves sensitive information, it's basically just incredibly unprofessional. Calm down and if the guy is that much of a muppet spend money elsewhere.

 

[Pudney]

His email is probbaly everywhere already anyway


Although on the subject of GDPR I've got a question.


In work emails are automatically assigned by name so hilariously for a trillion euro company people with the same name and up sharing email accounts, mine is shared with a manager down in fillton so i get reports on military projects etc, but the thing that concerns me is that results of he meeting medical discussions etc are sent there where theyr e shared

He complained a few years back and got nothing from the it department but a sorry deal with it response and how it could be worse (there's 6 John Smith's starring an email adress) .
So a few weeks ago I submitted a feedback through our compliance department and got a automated "thanks were following it up" response then nothing.

But this is a clear breach of all sorts of security stuff right? I mean I'd never share any work stuff as ive signed offical secrets act etc regarding it, my main concern is simply reports from my back to work interviews etc being "public".

I'm no expert but my understanding is that if it relates to personal information (rather than work/business) then the company still have to comply with the GDPR including how they control and process the data. So if medical discussions are being shared then the company is probably in breach of the regulations.

I'm an accountant not a lawyer. So don't necessarily trust me. Except about cheese.

 

[Rroff]

His email is probbaly everywhere already anyway


Although on the subject of GDPR I've got a question.


In work emails are automatically assigned by name so hilariously for a trillion euro company people with the same name and up sharing email accounts, mine is shared with a manager down in fillton so i get reports on military projects etc, but the thing that concerns me is that results of he meeting medical discussions etc are sent there where theyr e shared

He complained a few years back and got nothing from the it department but a sorry deal with it response and how it could be worse (there's 6 John Smith's starring an email adress) .
So a few weeks ago I submitted a feedback through our compliance department and got a automated "thanks were following it up" response then nothing.

But this is a clear breach of all sorts of security stuff right? I mean I'd never share any work stuff as ive signed offical secrets act etc regarding it, my main concern is simply reports from my back to work interviews etc being "public".

Wow that is a ridiculous situation.

If it was like that were I work heads would roll - I mean compliance would literally have people frog marched off the premises by security :s

 

[Raumarik]

His email is probbaly everywhere already anyway


Although on the subject of GDPR I've got a question.


In work emails are automatically assigned by name so hilariously for a trillion euro company people with the same name and up sharing email accounts, mine is shared with a manager down in fillton so i get reports on military projects etc, but the thing that concerns me is that results of he meeting medical discussions etc are sent there where theyr e shared

He complained a few years back and got nothing from the it department but a sorry deal with it response and how it could be worse (there's 6 John Smith's starring an email adress) .
So a few weeks ago I submitted a feedback through our compliance department and got a automated "thanks were following it up" response then nothing.

But this is a clear breach of all sorts of security stuff right? I mean I'd never share any work stuff as ive signed offical secrets act etc regarding it, my main concern is simply reports from my back to work interviews etc being "public".

Depends on the contents of medical e-mails etc. He should provide evidence to the ICO as it is most likely a breach but they'll advise otherwise anyway.

 

[Boycey0211]

His email is probbaly everywhere already anyway


Although on the subject of GDPR I've got a question.


In work emails are automatically assigned by name so hilariously for a trillion euro company people with the same name and up sharing email accounts, mine is shared with a manager down in fillton so i get reports on military projects etc, but the thing that concerns me is that results of he meeting medical discussions etc are sent there where theyr e shared

He complained a few years back and got nothing from the it department but a sorry deal with it response and how it could be worse (there's 6 John Smith's starring an email adress) .
So a few weeks ago I submitted a feedback through our compliance department and got a automated "thanks were following it up" response then nothing.

But this is a clear breach of all sorts of security stuff right? I mean I'd never share any work stuff as ive signed offical secrets act etc regarding it, my main concern is simply reports from my back to work interviews etc being "public".

I'll put money on your employer breaking the official secrets act, whether you're cleared or not you having access to stuff that you dont need to is in breach of sensitive data policy.

If youre that bothered then a quick phone call to the right people could get it all sorted extremely quickly.

 

[HangTime]

Schoolboy error but not something I would go 'livid' over. My son's old nursery did something similar once, mailed out to a massive mailing list so you could see everyone's email address, basically all the parents and often that included their name and sometimes what was presumably their year of birth.
Even had a government agency do it before perhaps 10 years ago.

As for Tefal - that is absolutely ludicrous. It should be reported to your DPO, not IT. It's just fundamentally bad practice even leaving aside any regulatory concerns. I mean, even 15 years ago I would have considered that incredibly shoddy.
I did once share an email address with a colleague (under his name) but that was years ago and more a case of them not setting me up with one because I don't think they felt I needed one at first.

 

[Rroff]

firstname.lastname is fairly common, but if you have a lot of people you probably need to get creative and start throwing in the middle initial as well to remove duplicates.

How the hell do they prove which s.smith sent an email if there are 6 people accessing the same mailbox? How do you know who is meant to deal with something and who isn't?

Nuts, nuts I tell you!

Where I work, though it makes them quite long, they use [email protected] which cuts down on potential duplicates a bit after that I think they just number them after lastname.

 

[Diddums]

Wtf happened here?


@Tefal the only option is to impersonate the other guy and take his job. A self appointed promotion if you will.

 

[Puzzled]

Sounds to me like the ops colleague needs to hunt down 132 people and "persuade" them to retract their interest

Either that or watch his back if one of the others have the same idea

 

[Terminal_Boy]

Wow that is a ridiculous situation.

If it was like that were I work heads would roll - I mean compliance would literally have people frog marched off the premises by security :s

If sensitive military project info is being sent to undisclosed persons, that’s a breach of the Official Secrets Act and I would expect that the security teams at both end would be all over that like a rash before HMG got wind of it.

 

[Beerbaron]

e-mail addresses aren't themselves sensitive information, it's basically just incredibly unprofessional. Calm down and if the guy is that much of a muppet spend money elsewhere.

An email address is PII (Personally identifiable information) however depending on the name of his email address might not directly identify your mate.

He could complain to the ICO but it is highly unlikely will he receive compensation from the estate agent.

 

[stockhausen]

Your "work colleague" should take a leaflet out of Trump's Play Book and threaten the Estate Agent on Twitter.

If that fails, GO NUCLEAR!

 

[samurl]

It isn’t GDPR, it is the Data Protection Act 2018.

If the company holding personal data identifying the client, share that with a third party group intentionally without permission, then that is indeed GDPR.

Happy to stand corrected and learn something new though!

 

[The_Abyss]

If the company holding personal data identifying the client, share that with a third party group intentionally without permission, then that is indeed GDPR.

Happy to stand corrected and learn something new though!

Allow me to correct you

GDPR is EU regulation that did not require EU member states to pass legislation to enact it. However, the UK intends to leave the EU and therefore enacted legislation equivalent to GDPR under the Data Protection Act 2018. See here for more details: http://www.legislation.gov.uk/ukpga/2018/12/contents/enacted

The UK will be a 'third country' once we leave the EU.