The DPC received a complaint from an individual against their employer relating to a data breach. The breach occurred when a HR folder, which contained the individual’s personal data, was placed on an open drive that was accessible to third party individuals. 

Having reviewed the information provided, the DPC noted that the employer had notified the breach to the DPC. As part of its notification, it advised that, due to human error, a folder, which contained the personal data of a number of employees, was accidently transferred to a common internal shared drive. It further advised that this folder was not accessible to anyone outside of the organisation. Once the employer became aware of this breach, it took immediate action to secure the files affected. The Human Resources folders were secured by removing them from the shared drive and relocating them to the appropriate local HR drive. 

The employer investigated this incident and confirmed that no further processing of personal data occurred in this instance. The employer informed the affected individuals of this breach and provided various updates regarding same via email. The employer subsequently provided the individual with a detailed list of the categories of personal data which were involved in this data breach. 

The DPC conducted an inspection at the employer’s premises. Having assessed the breach notification, the complaint received and the information established during the inspection, the DPC reminded the employer of its obligations under Article 5(1)(f) and Article 24 of the GDPR. The employer has since confirmed to the DPC the technical measures put in place to prevent a recurrence of such an incident in the future.