Data Protection Advice

JL1985

Striker
I made a complaint to an energy company a few weeks ago and when they responded, they mixed me up with another customer on a few occasions. I notified them about this and they then sent me the below email.


“In regard to the incident, we understand that while responding to your complaint, the personal details of another customer were incorrectly shared with you due to human error. We apologise for this error.
As an organisation, we take our data protection obligations very seriously and have an obligation to comply with the Data Protection Act 2018, and other relevant data protection legislations. We therefore legally require you:
1) to not share any information, you have received with anyone else
2) immediately delete and dispose securely of any copies of the data you have received regarding the other customer and confirm to us once you have done so.
To confirm, we have contacted the affected customer and have let them know that their information was sent to another recipient by mistake.
To reiterate, can you also please confirm to us when you have completed the above actions in regard to the affected customer’s detail.”

Do I actually legally have to do anything of what they say?

Any advice would be appreciated.

Thanks
 


I made a complaint to an energy company a few weeks ago and when they responded, they mixed me up with another customer on a few occasions. I notified them about this and they then sent me the below email.


“In regard to the incident, we understand that while responding to your complaint, the personal details of another customer were incorrectly shared with you due to human error. We apologise for this error.
As an organisation, we take our data protection obligations very seriously and have an obligation to comply with the Data Protection Act 2018, and other relevant data protection legislations. We therefore legally require you:
1) to not share any information, you have received with anyone else
2) immediately delete and dispose securely of any copies of the data you have received regarding the other customer and confirm to us once you have done so.
To confirm, we have contacted the affected customer and have let them know that their information was sent to another recipient by mistake.
To reiterate, can you also please confirm to us when you have completed the above actions in regard to the affected customer’s detail.”

Do I actually legally have to do anything of what they say?

Any advice would be appreciated.

Thanks

Tell them to fuck off and tell them you’ve reported them to the data comissionier.
Tell them you will delete the information once the Information Commissioner's Office has replied to your query and asked you to delete it.
Then query it with the ICO.

As above.

They will shit themselves
 
Last edited:
Tell them to fuck off and tell them you’ve reported them to the data comissionier.

As above.

They will shit themselves
GDPR is generally taken very seriously. I expect they will have already assessed the matter internally and be looking at procedural ways to prevent it happening again. If its a big company its likely they will have a member of staff specifically employed to look at such things. Depending on the severity of the breach ie how many people involved/what information etc, they might refer themselves to the ICO. So I doubt OP sending a rude, threatening email will make them 'shit themselves'.

OP be the decent person, delete the personal information and get on with your life.
 
GDPR is generally taken very seriously. I expect they will have already assessed the matter internally and be looking at procedural ways to prevent it happening again. If its a big company its likely they will have a member of staff specifically employed to look at such things. Depending on the severity of the breach ie how many people involved/what information etc, they might refer themselves to the ICO. So I doubt OP sending a rude, threatening email will make them 'shit themselves'.

OP be the decent person, delete the personal information and get on with your life.

They won’t have reported themselves.

OP ignore this wingnut and send a snotty note back.

Ruin their day.
 
GDPR is generally taken very seriously. I expect they will have already assessed the matter internally and be looking at procedural ways to prevent it happening again. If its a big company its likely they will have a member of staff specifically employed to look at such things. Depending on the severity of the breach ie how many people involved/what information etc, they might refer themselves to the ICO. So I doubt OP sending a rude, threatening email will make them 'shit themselves'.

OP be the decent person, delete the personal information and get on with your life.
I have no interest in keeping someone else’s personal data, I was just interested to know if I actually had a legal obligation to delete it or if it was just a threat.
 
They won’t have reported themselves.

OP ignore this wingnut and send a snotty note back.

Ruin their day.
If the breach is suffiently bad they will have done. Data breaches are bad, but attempting to hide a data breach would get a company in a shit load more trouble. Big companies will not take the risk. If the OP is minded to contact the ICO then I can understand that. But sending snotty emails around is really churlish. From experience the sort of people that send them are the sort of people who would not even say boo to a goose in real life.
 
Last edited:
I have no interest in keeping someone else’s personal data, I was just interested to know if I actually had a legal obligation to delete it or if it was just a threat.

You don’t.
If the breach is suffiently bad they will have done. Data breaches are bad, but attempting to hide a data breach would get a company in a shit load more trouble. Big companies will not take the risk. If the OP is minded to contact the ICO then I can understand that. But sending snotty emails around is really churlish. From experience the sort of people that send them are the sort of people who would not even say boo to a goose in real life.

The poorly worded email to him suggests to me they don’t have a clue what they’re doing.

They don’t ‘legally require’ him to do anything.

They have a legal responsibility to ask him to do something - preferably delete it and not forward it on.

He’s within his rights to tell them to fuck off.
 
Last edited:
You don’t.


The poorly worded email to him suggests to me they don’t have a clue what they’re doing.

They don’t ‘legally require’ him to do anything.

They have a legal responsibility to ask him to do something - preferably delete it and not forward it on.

He’s within his rights to tell them to fuck off.

they don’t legally require him to do anything. They have the legal responsibility to tell him he has legal duties under the GDPA.
 

Back
Top