The complainant in this instance held a mortgage over a property with another individual. The complainant and the other individual left the original property and each moved to separate addresses. Despite being aware of this, the complainant’s bank sent correspondence relating to the complainant’s mortgage to the complainant’s old address, where it was opened by the tenants in situ.

In response, the complainant’s bank noted that its mortgage system was built on the premise that there would be one correspondence address and, in situations where joint parties to the mortgage no longer had an agreed single correspondence address, this had to be managed manually outside the system, which sometimes led to errors.

It was apparent that the data controller for the purposes of the complaint was the complainant’s bank, as it controlled the complainant’s personal data for the purposes of managing the complainant’s mortgage. The data in question consisted of (amongst other things) financial information relating to the complainant’s mortgage with the data controller. The data was personal data because it related to the complainant as an individual and the complainant could be identified from it.

Data protection legislation, including the GDPR sets out clear principles that data controllers must comply with when processing a person’s personal data. Of particular relevance to this claim was the obligation to ensure that the data is accurate and kept up to date where necessary, and the obligation to have appropriate security measures in place to safeguard personal data.

In applying these principles to the facts of this complaint, by maintaining an out-of-date address for the complainant and sending correspondence for the complainant to that address, the data controller failed to keep the complainant’s personal data up to date (Article 5(1)(d)). In addition, given the multiple pieces of correspondence that were sent to the wrong address, the data controller’s security measures failed to appropriately safeguard the complainant’s data (Article 5(1)(f). The obligation to implement appropriate security measures under Article 5(1)(f) is to be interpreted in accordance with Article 32 of the GDPR, which sets out considerations that must be taken into account by a data controller when determining whether appropriate security measures are in place.