Is Sharing An Email Address A Breach Of GDPR?
By Cat Way. Last Updated 30th November 2023. Is an email address personal data? You might be wondering if you could make a personal data breach claim if your email address has been exposed or compromised in a breach. The personal data of all UK residents is protected under the Data Protection Act 2018 (DPA) and the UK General Data Protection Regulation (UK GDPR).
In this guide, we’ll explore how these legislations protect your email address and other personal data. We’ll also explore the criteria that your case must meet in order to form the basis of a valid personal data breach claim.
A personal data breach can cause significant harm to both your mental health and your finances. Our guide will discuss how you could pursue compensation for harm to both these areas and how this compensation is calculated by professionals.
Finally, we will explore how working with a solicitor could benefit your claim. Our solicitors work on a No Win No Fee basis, and are on hand to help. To learn more about the UK GDPR and email addresses, read on. Alternatively, you can contact our team of advisors to get started:
You can also watch our video which explains the key takeaways from this guide:
Select a Section
- Is An Email Address Personal Data?
- Data Breach Claim Eligibility
- When Can Your Email Address Be Shared?
- Data Protection Breach Examples In The UK
- Examples Of Evidence To Support Your Personal Data Breach Claim
- Data Breach Compensation Calculator
- How Could No Win No Fee Solicitors Help You?
- More Help On Is Sharing An Email Address A Breach Of GDPR?
According to the Information Commissioner’s Office (ICO), personal data can include any data that can identify you as the subject, such as your name and address. An email address could be personal data as well. Additional protections are given to special category personal data due to its sensitive nature. Special category data can include racial or ethnic background, political opinions, and religious beliefs.
A personal data breach occurs when the confidentiality, availability or integrity of your personal data is impacted. It is a security incident that can occur accidentally through human error or deliberately, such as criminals hacking a database. If your email address was included in a data breach, you might be eligible for compensation if you suffered psychologically or financially as a result.
Call our advisors to discuss what steps to take if your email address or other personal data has been breached.
In order to make an eligible claim for data breach compensation, you will need to meet the following eligibility criteria:
- The data breach was caused by the organisation’s failings.
- The breach compromised your personal data.
- You suffered financial losses or mental harm due to the personal data breach.
Any organisation that processes your personal data must adhere to the rules and regulations found in the UK GDPR and the DPA 2018, as together, these form data protection laws. If they fail to comply with data protection laws, this could result in your personal data being breached. It is a breach of the UK GDPR for email addresses to be shared without a lawful basis for doing so. You must have also suffered either psychological injuries or financial harm as a result of the email sharing.
To see whether you may have a valid claim, you can contact our advisors. They may also be able to connect you with one of our solicitors who could assist you with your case.
Sometimes, if you sign up for products and services, enter competitions or request information from an organisation, you could give out some of your personal data to do so. If you did in the past, prior to 2018 when the UK GDPR was implemented and the Data Protection Act 2018 updated alongside it, your personal data may not have been as well-protected.
Now, under the UK GDPR, giving out email addresses could be considered unlawful in some instances. However, in other instances, it may not be a breach of GDPR. In addition to this, under GDPR, sending personal data by email could be considered a data breach. So too could an email data leak, having personal information sent to the wrong email address, and this could have a number of unwanted consequences.
Organisations can lawfully share your personal information if:
- You consent to it; or
- They need to do so to fulfil a contract with you; or
- They need to do so to comply with the law; or
- Your life or someone else’s life is in danger and it’s, therefore, necessary; or
- They’re using it to fulfil a task that’s in the public interest; or
- They have legitimate business interests
If you are wondering how your personal data could be involved in a breach, we will examine UK GDPR breach examples below. When organisations fail to adhere to the legislation in place to protect personal data, breaches could occur.
Organisations need to ensure that their staff with access to personal data are given training in data protection compliance. For example, an email data breach could occur if staff fail to use the blind carbon copy (BCC) when sending a newsletter. The BCC feature prevents anyone in receipt of a mass email from seeing the email addresses of anyone included in the email.
Further personal data breach examples include:
- Written files containing personal data, including email addresses, being stolen because they are not kept in a secure location.
- The unauthorised alteration of personal data, such as changing an address without the permission of the data subject.
- Verbal disclosure of personal data, such as over the telephone. Organisations should have phone procedures in place, such as when booking appointments, to confirm the identity of the data subject.
- Unauthorised deletion of personal data. For example, an employee deletes email addresses in contact information.
If your personal data was included in a breach, call our advisors for a free assessment of your claim’s chance at success. You could be passed to our specialist data breach solicitors if our advisors think you could recover compensation.
Gathering evidence after an email data breach that compromised your personal information can be extremely beneficial to your claim. Evidence can help showcase how you were harmed, how the breach occurred, and who was responsible for the UK GDPR breach. Examples of evidence that you could collect to strengthen your claim can include:
- Correspondence with the party at fault: You may receive a letter or email of notification if your data was compromised in a data breach. Following this, you could ask the organisation to specify what personal data was compromised.
- Medical records: Your medical records or any other medical documents that illustrate how the breach has affected your mental well-being could be used to support your claim.
- Correspondence with the ICO: Complaints made to the ICO or the findings of an official ICO investigation could both be used as evidence in your claim.
These are only a few examples of the kinds of evidence that could be used to support a personal data breach claim. Contact our team today to find out how one of our solicitors could help you strengthen your claim.
If you’ve suffered a personal or work email address data breach that has affected your personal data, you may want to know more about your data rights and the potential compensation you could receive. A UK GDPR email breach resulting from an organisations failings that affects your personal data and causes you financial damage or psychological harm, could result in you receiving compensation.
Non-material damages relate to the psychological trauma you may have experienced from your personal data being breached. Psychological injuries you may be able to claim for include anxiety, depression, distress and post-traumatic stress disorder.
Below is a list of compensation brackets from the Judicial College Guidelines based on past cases. These figures are taken from the latest guidelines, published in April 2022.
Please remember that these figures only provide a potential compensation guideline. Solicitors use these figures to help estimate what your claim may be worth alongside other evidence provided in support of your case.
As every claim is unique, you are likely to receive a different amount to the ones listed below. This is because the compensation amount for a successful claim can be based on many factors.
|Type of Harm||Notes||Amount|
|Psychological Harm||Severe - A very poor prognosis. The person will struggle to maintain relationships and cope with daily life.||£54,830 to £115,730|
|Psychological Harm||Moderately Severe - A more positive prognosis. however the person will still struggle with various problems.||£19,070 to £54,830|
|Psychological Harm||Moderate - A good prognosis with significant improvements made.||£5,860 to £19,070|
|Psychological Harm||Less Severe - How long the person suffered and how much sleep and other activities were affected will determine how much is awarded.||£1,540 to £5,860|
|PTSD||Severe - All areas of the person's life are negatively affected, and they will be unable to function as they did pre-trauma.||£59,860 to £100,670|
|PTSD||Moderately Severe - A better prognosis with room for some recovery with help from a professional. However, the person will still suffer will various issues.||£23,150 to £59,860|
|PTSD||Moderate - A large recovery will have happened, with any problems not being majorly disabling.||£8,180 to £23,150|
|PTSD||Less Severe - Within one to two years a full recovery will have been made.||£3,950 to £8,180|
How Much Compensation Can I Claim For a GDPR Email Breach?
Material damages relate to the financial losses you’ve suffered as a result of the UK GDPR email breach of your personal data. Potential financial losses you could incur from such a data breach include:
- Healthcare costs – For instance, you may require medication to treat stress caused by the breach.
- Stolen funds – If sensitive financial information, such as bank details, have been sent to the wrong person, you could have money stolen from your account.
- Losses caused by identity fraud – This could lead to you having to pay outstanding bills due to someone assuming your identity due to the breach.
- Travel costs – If, for instance, you’ve had to drive to the hospital for health appointments related to this, you may be able to claim for the expenses caused, such as the cost of petrol.
- Loss of earnings – You could lose money because you’re unable to work as a result of stress caused by the breach. If this is long-term or permanent, you may also be able to claim for future loss of earnings.
However, this is not an exhaustive list of the losses you could claim for. You could potentially claim for other financial loss relating to the data breach. However, you would need financial evidence highlighting these losses such as receipts, invoices and bank statements. To learn more about claiming for a GDPR email breach, please contact us for free legal advice using the details above.
If you have a valid claim for email data breach compensation, you could claim with one of our No Win No Fee lawyers.
No Win No Fee means you would not pay legal fees to your lawyer until your claim ends, and compensation comes through. A No Win No Fee solicitor would need to have you sign a Conditional Fee Agreement prior to taking your claim. (This is a formal term for No Win No Fee agreement.)
This would denote the percentage of the success fee you’d pay from your settlement to your lawyer at the end of your claim. You’d only pay this if the claim is successful. Additionally, the fee is capped by law.
If your solicitor doesn’t achieve compensation, you wouldn’t need to pay them any solicitor fees at all.
Contact Our Team
Here at Legal Expert, we would be happy to assist you if you want to have a free claims assessment or you’re ready to begin a No Win No Fee claim. Our service comes highly recommended, as you can see from our reviews. All you need to do to get started is:
- Call 0800 073 8804
- Complete the claim online form
- Email email@example.com
- Use our Live Chat on this page
The ICO Guide To Sharing Personal Data By Email – As well as learning the answer to ‘is sharing an email address a breach of GDPR?’, you can find out what the ICO says about sending personal data by email here.
What Are Personal Data Breaches? – More information about what constitutes a data breach can be found here.
Raising Concerns With The ICO – You can learn how to raise concerns with the ICO here.
Fax Data Breaches – Find out if you could claim for a fax data breach here.
The Blackbaud Data Breach – You can find out about the Blackbaud data breach here.
Failure To BCC Claims – Find whether a failure to use the BCC field could lead to a claim here.
Other Useful Compensation Guides
- If you work for a school or if your personal data held by a school is shared by email, you could make a data breach claim against that school.
- University Data Breach Compensation Claims
- Anglia Ruskin University Data Breach Compensation Claims Guide
- I Suffered Stress Due To A Data Breach Am I Eligible To Claim Compensation?
- GP Data Breach Compensation Claims
- Employer Personal Data Breach Compensation Claims
- Compensation For Loss Of Medical Records
- Learn how to make a school data breach claim with our helpful guide and find out more about the data breach claims process.
We hope this guide, which has answered popular questions such as ‘is an email address personal data?’ and ‘is sharing an email address a breach of GDPR?’, has proven to be useful. If you would like to speak to an advisor about any queries you have, then please don’t hesitate to get in touch. You can contact Legal Expert on the phone or online by using the contact details included in this guide.
Written by Jen Jeffries
Edited by Rianne Victorine