A notification was received from a statutory body whose functions include the investigation of complaints concerning experts’ professional conduct, training or competence. The personal data breach occurred when a letter concerning a complaint against a specialist was attached to an email and sent to an incorrect address. The attachment contained personal data of several persons, including health data, and was encrypted. However, the password for the encrypted letter was issued in a separate email to the same incorrect address.

The nature of the personal data and the context all indicated a high risk to data subjects . The DPC accordingly confirmed that all affected persons had been notified of the breach, the risks and measures being taken in response to them, as required by Article 34 of the GDPR . The DPC reminded the organisation of its continuing obligation to secure personal data that was accidentally disclosed, and of the importance of ensuring security when emailing personal data . The statutory body has undertaken a review of all its data protection processes, policies and procedures .

Misaddressed emails are one of the most common causes of breaches reported to the DPC . Encryption is a valuable tool that can help to protect against accidental disclosures . However, it is advisable to use a separate medium — such as a telephone call or SMS message — to send the password, as a single mistake in an email address can negate the benefits.