Informed of GDPR breach

[1997]

Just wondering if anyone can advise on this. Had applied for a loan and was asked to send some personal information, accounts etc. Recieved a call today to say that some of the items were sent by accident to another financial institution. All apologies and said they reported to the relevant authorities and said items have been destroyed. I'm wondering should I report the issue myself as the more I think about it, to me it sounds very careless? Never had any issue like this before so grateful for any advice? Thks

 

[Brendan Burgess]

Have you lost out in any way?

Mistakes happen. It's part of life.

Brendan

 

[Peanuts20]

Mistakes happen but who did you send the information to and who did they forward it on to. ? At least they reported it, they could have said nothing and you'd have been non the wiser?

 

[Leo]

I'm wondering should I report the issue myself as the more I think about it, to me it sounds very careless?

Realistically there is little benefit for anyone in you reporting this now. Given that the provider has already informed you, you can be pretty sure they have informed the DPC as per their obligations. I doubt there is anything of value that you could add to what the DPC already know.

 

[ClubMan]

I'm wondering should I report the issue myself as the more I think about it, to me it sounds very careless?

Report it where?

 

[Salvadore]

Just wondering if anyone can advise on this. Had applied for a loan and was asked to send some personal information, accounts etc. Recieved a call today to say that some of the items were sent by accident to another financial institution. All apologies and said they reported to the relevant authorities and said items have been destroyed. I'm wondering should I report the issue myself as the more I think about it, to me it sounds very careless? Never had any issue like this before so grateful for any advice? Thks

As data controllers, they’re obliged to report, to the DPC, any data breaches for which they are responsible. They have also sought to minimise the extent to which you have been impacted by their offence. This is the responsible thing to do.

However, it doesn’t mean they are completely exonerated. There’s nothing to preclude you from reporting the breach to the DPC or to privately seek legal redress for any damage or loss you may have suffered as a consequence.

 

[T McGibney]

There’s nothing to preclude you from reporting the breach to the DPC or to privately seek legal redress for any damage or loss you may have suffered as a consequence.

Read their post again. They clearly haven't suffered any loss or damage.

Superfluous and pointless legal actions usually end in both tears and financial loss.

 

[Salvadore]

Read their post again. They clearly haven't suffered any loss or damage.

It depends on whether the misplacent of the data has any consequences for the OP. This may not be evident for some time.

 

[T McGibney]

It depends on whether the misplacent of the data has any consequences for the OP. This may not be evident for some time.

It's sufficiently evident now from what they've posted that there's no indication that legal action is or will be warranted. I stand by my comment.

 

[Leo]

It depends on whether the misplacent of the data has any consequences for the OP. This may not be evident for some time.

The data wasn't obtained by hackers seeking to exploit or sell the data, it was sent to another financial institution. and let's assume they're not stupid enough to try use the data to spoof an identity and steal the cash!

 

[Salvadore]

The institution, which had a responsibility to protect the data, has released it beyond its own organisation and has effectively lost control over how this data is used.

One would hope that it will never be used in such a way as to damage or inconvenience the OP but no one can say this with absolute certainty.

Who’s to say that the receiving institution won’t also be careless in its protection of the data, perhaps with more sinister consequences?

Pointing out the potential longer-term consequences of a data breach is not the same as advocating legal action in dubious circumstances.

 

[Leo]

One would hope that it will never be used in such a way as to damage or inconvenience the OP but no one can say this with absolute certainty.

You are correct of course, no one can be certain it will never fall into the wrong hands, but that risk existed even before the data was sent to the 3rd party. Once any party has your data, that risk exists.

Who’s to say that the receiving institution won’t also be careless in its protection of the data, perhaps with more sinister consequences?

The receiving institution have a duty to delete that information, and the DPC will be following up to ensure that has taken place.

Pointing out the potential longer-term consequences of a data breach is not the same as advocating legal action in dubious circumstances.

But you didn't point out any potential consequence, you advocated reporting to the DPC (pointless, they already know) or seeking redress.

 

[Salvadore]

You are correct of course, no one can be certain it will never fall into the wrong hands, but that risk existed even before the data was sent to the 3rd party. Once any party has your data, that risk exists.

And the more parties that hold your data, the greater the risk. Hence, the legal requirement on data holders to protect it adequately.

The receiving institution have a duty to delete that information, and the DPC will be following up to ensure that has taken place.

Written confirmation will be sought as soon as possible. In due course. If not sooner.

But you didn't point out any potential consequence, you advocated reporting to the DPC (pointless, they already know) or seeking redress.

I said there was nothing to preclude the OP from reporting themselves if they wished to do so. That doesn’t constitute advocacy in my world but each to their own I guess.

 

[Leo]

I said there was nothing to preclude the OP from reporting themselves if they wished to do so. That doesn’t constitute advocacy in my world but each to their own I guess.

Yeah, so you said they could report it or seek legal redress. No mention of potential consequences...

Written confirmation will be sought as soon as possible. In due course. If not sooner.

Hold on, are you the OP?