The nature of the personal data and the context all indicated a high risk to data subjects. The DPC accordingly confirmed that all affected persons had been notified of the breach, the risks and measures being taken in response to them, as required by Article 34 of the GDPR. The DPC reminded the organisation of its continuing obligation to secure personal data that was accidentally disclosed, and of the importance of ensuring security when emailing personal data. The statutory body has undertaken a review of all its data protection processes, policies and procedures.

Misaddressed emails are one of the most common causes of breaches reported to the DPC. Encryption is a valuable tool that can help to protect against accidental disclosures. However, it is advisable to use a separate medium — such as a telephone call or SMS message — to send the password, as a single mistake in an email address