We received a complaint concerning the alleged disclosure by a motor dealership of the complainants’ personal data to a third party. The complainants had provided the dealership with copies of their driver’s licences and bank details, including bank statements and full account details, in order to purchase a car through a Personal Contract Plan. They were subsequently copied in on an email from the dealership to a third-party email address, believed to be an address associated with a bank, which contained the complainants’ driver’s licences and bank details. The complainants were concerned that the third-party address was that of a restaurant and contacted the dealership about this, but were assured that the email address in question pertained to a bank and was secure.

The complainants remained concerned over the ownership of the email address, conducted online research into the matter, and were confident the email address was that of a restaurant. In order to confirm their suspicions, a friend of the complainants sent an email to the address in question and the response received confirmed it was that of a restaurant.

In the course of our examination, the dealership accepted that the email had been sent in error to the wrong address. Notwithstanding this acknowledgment, it was clear that no attempt had been subsequently made to contact the restaurant in order to request that the information erroneously sent be deleted by the unintended recipient. Upon instruction from this office, we received confirmation that the dealership had contacted the restaurant and requested that the email, including the documents, be deleted. The dealership put forward a proposal for amicable resolution that was accepted by the complainants.