The DPC received a notification from a statutory body tasked with investigating complaints about the professional conduct of experts. The breach occurred during the course of a public hearing, which was held remotely, when access permissions were incorrectly provided to attendees including journalists. 

This error made visible documents revealing personal data, that members of the public were not entitled to view as they did not form part of the hearing. The personal data, which was unintentionally disclosed during the hearing was subsequently published by journalists in numerous media outlets. 

The breach was assessed as high risk because the data subject’s location which was published could be inferred from the data disclosed. 

By way of mitigation, the statutory body confirmed removal of the personal data by the media outlets. In addition, the organisation updated their technical and organisational measures to restrict access to personal data.