Is Sharing an Email Address A Breach Of GDPR?
By Cat Soong. Last Updated 6th June 2022. There are many common questions that surround the UK General Data Protection Regulation and what constitutes a personal data breach. In this guide we aim to answer the question ‘is sharing an email address a breach of GDPR?’
While you may be under the assumption that sharing an email address could not have negative consequences, it could, in fact, cause problems. But is sharing an email address without permission in the UK a GDPR breach in all cases? Or would it not always constitute a breach of GDPR?
Is Sharing An Email Address A Breach Of GDPR? How This Guide Could Help
Below, we discuss in detail what GDPR says about giving out email addresses. We answer questions such as:
- Is an email address personal data?
- Is a work email address personal data?
- What happens if confidential information is sent to the wrong email address?
- What constitutes a GDPR email breach?
In addition, we explain how to go about making an email data breach claim, and what data breach compensation you could claim. We also look at the role of a data breach solicitor in helping you start a claim. To get started right away, you could call our expert team on 0800 073 8804. Or, continue reading to see if we’ve answered your questions below.
Select a Section
- Is Sharing An Email Address A Breach Of GDPR?
- When Can Your Email Address Be Shared?
- How Could Your Email Address Have Been Leaked?
- What Can I Do If My Email Was Shared Without My Consent?
- Data Breach Compensation Calculator
- How Could No Win No Fee Solicitors Help You?
- Get Help From A Data Breach Claims Expert
- More Help On Is Sharing An Email Address A Breach Of GDPR?
If you’re wondering ‘is sharing an email address a breach of GDPR?’, it could be. In general, if you give permission for an organisation to share your personal data, then sharing your email address might not constitute a breach. However, if an email address is shared without consent or another lawful reason, and you receive marketing emails as a result, for example, this could be a GDPR breach.
Your email address is considered personal information. Personal information or personal data is anything that can be used to identify you, whether directly or indirectly. Your personal data can be held by data processors (organisations that process personal data) and data controllers (organisations who determine the manner in how it will be processed and its purposes).
As such, exposing your email address without your authority or a lawful reason could be considered a breach of GDPR. However, this could only be the case if your address falls into one of two different categories.
Is an email address personal data?
When it comes to your personal email address this could be considered personal data. Your email address could be one you signed up to, such as Gmail, Outlook or Yahoo, for example.
Is my work email address personal data?
Your work email address could be personal data if it contains both your first and last name – one example could be fiirstname.lastname@placeofwork, for example. However, if your work email is from a shared inbox (for example, it starts with ‘info@’ or ‘hello@’) this address would not usually be considered personal data. After all, info@ and hello@ email addresses could be public knowledge, wouldn’t identify you and therefore anyone could access them.
If the sharing of an email address does constitute an email data breach, you could claim compensation if the breach exposes your data and causes you emotional or financial harm. However, in order to claim, you’d need to show that the organisation that was supposed to protect your personal information failed to do so through positive wrongful conduct.
As such, in relation to GDPR and email addresses, you wouldn’t necessarily be able to claim compensation if a company was sold your email address and began to contact you. You would need to prove that your personal data was accessed without your permission through an email data breach, for example, in which the data processor or data controller should have done more to protect your data.
Below, we explain more about the types of compensation you could receive if an organisation is sharing an email address without permission, GDPR rules surrounding your personal email address, and how breaches could happen.
Sometimes, if you sign up for products and services, enter competitions or request information from an organisation, you could give out some of your personal data to do so. If you did in the past, prior to 2018 when the UK GDPR was implemented and the Data Protection Act 2018 updated alongside it, your personal data may not have been as well-protected.
Now, under the UK GDPR, giving out email addresses could be considered unlawful in some instances. However, in other instances, it may not be a breach of GDPR. In addition to this, under GDPR, sending personal data by email could be considered a data breach. So too could an email data leak, having personal information sent to the wrong email address, and this could have a number of unwanted consequences.
Organisations can lawfully share your personal information if:
- You consent to it; or
- They need to do so to fulfil a contract with you; or
- They need to do so to comply with the law; or
- Your life or someone else’s life is in danger and it’s, therefore, necessary; or
- They’re using it to fulfil a task that’s in the public interest; or
- They have legitimate business interests
Could I claim?
Under data protection law, if your personal information is involved in a data breach that exposes your personal information and that leads to financial or psychological harm, you could claim compensation.
However, you’d need to show that the organisation you entrusted your personal information to failed to protect it through positive wrongful conduct. For example, they might have not trained staff in data protection, which caused them to share your email address without a lawful basis. This is the type of email data breach you may be able to claim compensation for.
Your email address could legally be shared if you give a company permission. It is essential that you carefully check what you are signing up to when giving out your personal email address. That way, you will be aware of the data you are allowing an organisation to share and whether you are signing up for marketing emails.
If you’re looking into data breaches because of confidential information being sent to the wrong email address, this will be discussed in more detail below.
There are various ways in which an organisation could expose your email address. One example has been widely reported in the media.
Real Email Data Breach Case Studies
To help illustrate how incorrect use of CC and BCC can contribute to a breach of GDPR that leads to a personal data breach, this section looks at a real email data breach case study from Serco in 2020.
At the beginning of the Coronavirus pandemic in May 2020, the outsourcing company Serco accidentally revealed the email addresses of 300 people training to assist the Government’s “track and trace” service.
The breach occurred when a member of staff wrote an email to the recipients asking them not to contact the help desk for information on their training. However, instead of listing the personal email addresses in the BCC section, all of the addresses were listed in the CC section. This means that instead of being hidden, the personal email addresses of all the fellow trainees were clearly visible.
At least one employee reported this breach to the ICO, and while the firm was not fined, many similar cases have resulted in companies being fined for their misuse of CC and BCC.
To learn more about the GDPR and email addresses, contact our advisors today. They can offer free legal advice, and help you understand how you could claim after a personal data breach of your email address.
Other ways an email data leak could happen
- Confidential email sent to the wrong email address – this could happen due to an error in typing an email address, or could relate to autofill settings.
- Forwarding email chains but failing to check personal/private information is removed from the content.
- Email addresses being hacked due to data not being stored securely or properly.
- Malicious activity by way of those inside or outside the organisation sharing an email address without permission or another lawful reason.
Is Sharing An Email Address A Breach Of GDPR In Your Case?
If you would like our advisors to check whether an organisation has breached GDPR when sharing email addresses, we would be happy to do so. If we believe you could be eligible for compensation, we could connect you with a data breach solicitor who could help you.
When you believe your email has been shared without your consent or without another lawful reason, or an organisation informs you that this has happened, you may be wondering what to do. Should you report the data breach? How do you go about doing so?
Initially, you should take the issue up with the organisation. You may want to ask them for further information on what personal data has been affected. They should work with any affected parties to resolve the issues raised by a breach.
If you’re not happy with the organisation’s response, you could report the issue to the ICO within three months of their final response for them to (potentially) investigate.
My data has been breached; what can I do about getting compensation?
You don’t have to report an email data breach to claim data breach compensation relating to a breach of GDPR when giving out email addresses. However, you would need to prove:
- Your personal data had been exposed
- It was due to wrongdoing on an organisation’s part
- The breach caused harm to you – emotionally, financially or both
Here at Legal Expert, we could help you if you have questions about GDPR and personal or work email data breaches. We would need to assess your case, which we could do free of charge. If we believe you could have a strong claim, we could connect you with a No Win No Fee solicitor. They could help you fight for compensation.
What Steps Should I Take If My Confidential Information Is Sent To The Wrong Email Address?
(Though confidential information might not always include personal data, in this instance, when we mention ‘confidential information’, we’re using it interchangeably with ‘personal information’.)
If your confidential information has been sent to the wrong email address by a data processor or data controller, they need to inform you as soon as possible. The information they need to provide includes what information has been shared and the potential consequences that come with the sharing of this information.
The data controller or processor should then notify the ICO of the breach within 72 hours of them becoming aware of it. In terms of answering, “what steps should I take if my confidential information is sent to the wrong email address?”, you could:
- Directly contact the company that committed the breach. In some cases, they will admit that confidential information was sent to the wrong email address and offer compensation.
- Make a compensation claim. If you have sufficient evidence that your personal data was shared from an email data breach, for instance, you could receive compensation if you suffered financial loss or psychological harm. You have six years to claim against a private body and one year to claim against a public body.
- Furthermore, you can also make a complaint with the ICO. You do not need to do this in order to receive compensation as this is completely separate from a compensation claim. Therefore, you are able to do both at the same time.
If you have more questions about GDPR and email addresses, you can contact us at a time that works for you.
If you’ve suffered a personal or work email address data breach that has affected your personal data, you may want to know more about your data rights and the potential compensation you could receive. A UK GDPR email breach resulting from an organisations failings that affects your personal data and causes you financial damage or psychological harm, could result in you receiving compensation.
Non-material damages relate to the psychological trauma you may have experienced from your personal data being breached. Psychological injuries you may be able to claim for include anxiety, depression, distress and post-traumatic stress disorder.
Below is a list of compensation brackets from the Judicial College Guidelines based on past cases. These figures are taken from the latest guidelines, published in April 2022.
Please remember that these figures only provide a potential compensation guideline. Solicitors use these figures to help estimate what your claim may be worth alongside other evidence provided in support of your case.
As every claim is unique, you are likely to receive a different amount to the ones listed below. This is because the compensation amount for a successful claim can be based on many factors.
|Type of Psychological Damage||Guideline Compensation Bracket||How severe the case is|
|Psychiatric Damage Generally||£54,830 to £115,730||Severe|
|Psychiatric Damage Generally||£19,070 to £54,830||Moderately severe|
|Psychiatric Damage Generally||£5,860 to £19,070||Moderate|
|Psychiatric Damage Generally||£1,540 to £5,860||Less severe|
|PTSD||£59,860 to £100,670||Severe|
|PTSD||£23,150 to £59,860||Moderately severe|
|PTSD||£8,180 to £23,150||Moderate|
|PTSD||£3,950 to £8,180||Less severe|
How Much Compensation Can I Claim For a GDPR Email Breach?
Material damages relate to the financial losses you’ve suffered as a result of the UK GDPR email breach of your personal data. Potential financial losses you could incur from such a data breach include:
- Healthcare costs – For instance, you may require medication to treat stress caused by the breach.
- Stolen funds – If sensitive financial information, such as bank details, have been sent to the wrong person, you could have money stolen from your account.
- Losses caused by identity fraud – This could lead to you having to pay outstanding bills due to someone assuming your identity due to the breach.
- Travel costs – If, for instance, you’ve had to drive to the hospital for health appointments related to this, you may be able to claim for the expenses caused, such as the cost of petrol.
- Loss of earnings – You could lose money because you’re unable to work as a result of stress caused by the breach. If this is long-term or permanent, you may also be able to claim for future loss of earnings.
However, this is not an exhaustive list of the losses you could claim for. You could potentially claim for other financial loss relating to the data breach. However, you would need financial evidence highlighting these losses such as receipts, invoices and bank statements. To learn more about claiming for a GDPR email breach, please contact us for free legal advice using the details above.
If you have a valid claim for email data breach compensation, you could claim with one of our No Win No Fee lawyers.
No Win No Fee means you would not pay legal fees to your lawyer until your claim ends, and compensation comes through. A No Win No Fee solicitor would need to have you sign a Conditional Fee Agreement prior to taking your claim. (This is a formal term for No Win No Fee agreement.)
This would denote the percentage of the success fee you’d pay from your settlement to your lawyer at the end of your claim. You’d only pay this if the claim is successful. Additionally, the fee is capped by law.
If your solicitor doesn’t achieve compensation, you wouldn’t need to pay them any solicitor fees at all.
Is Sharing An Email Address A Breach Of GDPR?: Making A No Win No Fee Claim
To make sure your claim has a favourable chance of bringing a compensation settlement, your lawyer would need to check a few things. They would need to ascertain:
- Whether a personal data breach had happened and your data was involved
- If it was due to wrongdoing on an organisation’s part
- Whether the claimant suffered non-material damages or material damages
- If the claim was within the limitation period (1 year from the date of knowledge for breaches against public bodies, 6 years otherwise)
If you’d like us to assess whether a solicitor could take on your case under a No Win No Fee agreement, please get in touch.
Hopefully, we’ve now answered the question of ‘is sharing an email address a breach of GDPR?’ You should now be informed about your rights regarding someone else sharing an email address without permission and the UK GDPR.
Here at Legal Expert, we would be happy to assist you if you want to have a free claims assessment or you’re ready to begin a No Win No Fee claim. Our service comes highly recommended, as you can see from our reviews. All you need to do to get started is:
- Call 0800 073 8804
- Complete the claim online form
- Email firstname.lastname@example.org
- Use our Live Chat on this page
The ICO Guide To Sharing Personal Data By Email – As well as learning the answer to ‘is sharing an email address a breach of GDPR?’, you can find out what the ICO says about sending personal data by email here.
What Are Personal Data Breaches? – More information about what constitutes a data breach can be found here.
Raising Concerns With The ICO – You can learn how to raise concerns with the ICO here.
Fax Data Breaches – Find out if you could claim for a fax data breach here.
The Blackbaud Data Breach – You can find out about the Blackbaud data breach here.
Failure To BCC Claims – Find whether a failure to use the BCC field could lead to a claim here.
Other Useful Compensation Guides
- Cardiff Metropolitan University Data Breach
- Cardiff University Data Breach
- Carlisle City Council Data Breach
- Charnwood Borough Council Data Breach
- Chelmsford Council Data Breach
- Chelsea and Westminster Hospital NHS Trust Data Breach
- Chesterfield Council Data Breach
- City of Lincoln Council Data Breach
- Coventry City Council Data Breach
- Cranfield University Data Breach
- Crawley Borough Council Data Breach
- Barnsley Council Data Breach
- Calderdale Council Data Breach
- Eastleigh Borough Council Data Breach
- Hastings Borough Council Data Breach
- Stafford Borough Council Data Breach
- Stevenage Council Data Breach
- Stockton-on-Tees Borough Council Data Breach
- Maidstone Council Data Breach
- Medway Council Data Breach
- University Data Breach Compensation Claims
- Anglia Ruskin University Data Breach Compensation Claims Guide
- I Suffered Stress Due To A Data Breach Am I Eligible To Claim Compensation?
- GP Data Breach Compensation Claims
- Employer Personal Data Breach Compensation Claims
- Compensation For Loss Of Medical Records
We hope you found the answer to ‘Is sharing an email address a breach of GDPR?’ in this guide. If you have any queries, don’t hesitate to get in touch.
Written by Jeffries
Edited by Victorine