I know people on here might have GDPR fatigue, but in Europe you'd have a massive stick to incentivize them to make it right. This is exactly why regulation such as this is needed.
We shouldn't have to depend on publicity and shame to force a company to be careful with our data, we should have a neutral agency that investigates every report equally and is able to hand out fines for those companies that don't take our privacy seriously.
You may underestimate how much of shit companies care. T-Mobile Netherlands have been sending me plenty of private information about one of their customers for months (their customer signed up using a.person@gmail.com as their email address, I've held the aperson@gmail.com account since 2006, hence I receive the emails).
I've tried escalating this with them multiple times, each time they insist that I won't receive any more emails, until the next one arrives. I also tried threatening them with taking it up with whichever authority is relevant if they don't fix it and reminded them about the 20m Euro or 4% of global turnover fine they could incur, yet still keep receiving this poor saps information.
In case you haven't already tried, I would contact their legal department. I would expect them to be far more invested and effective in fixing these breaches than anybody in the phone-based customer support chain.
Although it's about a different subject matter, I'm reminded of this quote from a patio11 article:
> [A bank's] CS department is scored on number of tickets resolved per hour, and each rep’s incentives are simply to classify you as something requiring no followup and get you off the phone. [...] The legal department (or an analogous group – it is different at every bank) is not scored on cases resolved per week. They are scored on regulatory incidents per quarter, and their target for success is likely zero. Shockingly senior people will be involved to avert regulatory incidents.
I'm not sure that's a violation of GDPR. If person A has accidentally authorised their personal correspondence to be sent to person B they are pretty culpable for the consequence. Good systems require you to verify your email address, but I'm not sure there's a legal requirement to enforce that.
Regardless, it's a very different problem to a bug introduced by the company that leaks customer information.
I think the initial communication is obviously not the fault of the company, but as soon as they are aware and refuse to put right the situation, I think they are very much at fault.
Exactly, honest mistakes can, and do, happen. The cause should be investigated and if minor, logged on a register; if serious, it must be reported to the regulator.
GDPR has a requirement that data be accurate (Article 5, section 1 d). This is applicable in practice because of the Right to Rectification, Article 16.
The initial issue is probably not a violation of GDPR, and not a reportable data breach. However, not fixing the issue after it was brought to their attention is more likely to be a violation.
It's definitely a GDPR breach, but it may not necessarily be reportable to the data regulator. Imho it should definitely be reported to the data protection officer first before going to the regulator. Most frontline staff have no idea how to handle GDPR queries or issues, but it's the designated data protection officer's role to be responsible.
We shouldn't have to depend on publicity and shame to force a company to be careful with our data, we should have a neutral agency that investigates every report equally and is able to hand out fines for those companies that don't take our privacy seriously.
(I mean, California is on the right track)