A private financial sector organisation notified the DPC that a customer had made a request to obtain their IBAN and BIC numbers, which were held on file. The customer making the request was personally known to the member of staff dealing with the request. The member of staff, deviating from approved practices, used their personal mobile phone to send a picture of what they believed to be the requested information over a messaging platform (WhatsApp). However, the staff member erroneously sent details pertaining to another customer to the requesting customer.

The customer who received this information contacted the organisation to advise that the information received did not relate to their account and that they had undertaken to delete all offending material from their device. The organisation communicated with staff to remind them that only authorised methods of communication should be utilised when handling future requests of this nature . The organisation has also issued an apology to all affected data subjects .

The DPC issued a number of recommendations encom- passing the use of only approved organisational commu- nication tools, making staff fully aware of acceptable and non-acceptable behaviour when using organisational com- munications tools, and to ensure staff have undergone appropriate training in terms of their obligations/respon- sibilities under the provisions of the GDPR and the Data Protection Act 2018 .