So, hypothetically of course: A fleet car had a tracker installed that was never used but the employee had access to it (and their two colleagues' car locations) at all times. This employee left the business and their car was put up for public sale, then sold. Then the employee logged into the tracker phone app, which auto logged in, without remembering what it was and saw that the tracker was never removed and the new owner has not had the tracker removed so their locations is visible.. Only the ex employee and potentially their two colleagues who also had trackers and their manager would be aware of this. What way should the ex employee proceed in letting anyone know, and is this a GDPR breach? Asking for a friend of course.