Personal e-mail obtained due to compromised work account (GDPR) [on hold]
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty{ margin-bottom:0;
}
up vote
1
down vote
favorite
At my current place of work a phishing e-mail was sent from an employee's e-mail address (Let's call them Sally). An e-mail originating from Sally's account was sent to everyone's work e-mail within the organisation, it was made aware to everyone within the company that this was a phishing e-mail after the fact and that Sally's account was compromised.
The exact same e-mail was also sent to multiple employees' personal e-mail addresses as well, which means that whomever gained access to Sally's account now has my and others personal e-mail address.
What is a company's responsibility regarding private information of an individual in the case of an unauthorised attacker gaining this information and has GDPR or any other relevant data privacy legislation been breached by the company in this instance.
united-kingdom security privacy gdpr
asked Nov 14 at 15:44
Workplace GDPR
142
New contributor
Workplace GDPR is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
put on hold as off-topic by Summer, rath, gnat, solarflare, gazzz0x2z Nov 16 at 17:25
This question appears to be off-topic. The users who voted to close gave this specific reason:
- "Questions seeking advice on company-specific regulations, agreements, or policies should be directed to your manager or HR department. Questions that address only a specific company or position are of limited use to future visitors. Questions seeking legal advice should be directed to legal professionals. For more information, click here." – Summer, rath, gnat, solarflare, gazzz0x2z
If this question can be reworded to fit the rules in the help center, please edit the question.
add a comment |
up vote
1
down vote
favorite
At my current place of work a phishing e-mail was sent from an employee's e-mail address (Let's call them Sally). An e-mail originating from Sally's account was sent to everyone's work e-mail within the organisation, it was made aware to everyone within the company that this was a phishing e-mail after the fact and that Sally's account was compromised.
The exact same e-mail was also sent to multiple employees' personal e-mail addresses as well, which means that whomever gained access to Sally's account now has my and others personal e-mail address.
What is a company's responsibility regarding private information of an individual in the case of an unauthorised attacker gaining this information and has GDPR or any other relevant data privacy legislation been breached by the company in this instance.
united-kingdom security privacy gdpr
asked Nov 14 at 15:44
Workplace GDPR
142
New contributor
Workplace GDPR is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
put on hold as off-topic by Summer, rath, gnat, solarflare, gazzz0x2z Nov 16 at 17:25
This question appears to be off-topic. The users who voted to close gave this specific reason:
- "Questions seeking advice on company-specific regulations, agreements, or policies should be directed to your manager or HR department. Questions that address only a specific company or position are of limited use to future visitors. Questions seeking legal advice should be directed to legal professionals. For more information, click here." – Summer, rath, gnat, solarflare, gazzz0x2z
If this question can be reworded to fit the rules in the help center, please edit the question.
1
Why do you assume company have any responsibility regarding private data?
– SZCZERZO KŁY
Nov 14 at 15:51
2
This is probably better placed on law.se, since you're asking about a company's legal responsibilities.
– berry120
Nov 14 at 16:03
Email addresses are not private. I'm not sure what level of privacy you can reasonably expect from something that's given out to nearly every website you have registered with.
– Terry Carmen
Nov 14 at 17:04
add a comment |
up vote
1
down vote
favorite
up vote
1
down vote
favorite
At my current place of work a phishing e-mail was sent from an employee's e-mail address (Let's call them Sally). An e-mail originating from Sally's account was sent to everyone's work e-mail within the organisation, it was made aware to everyone within the company that this was a phishing e-mail after the fact and that Sally's account was compromised.
The exact same e-mail was also sent to multiple employees' personal e-mail addresses as well, which means that whomever gained access to Sally's account now has my and others personal e-mail address.
What is a company's responsibility regarding private information of an individual in the case of an unauthorised attacker gaining this information and has GDPR or any other relevant data privacy legislation been breached by the company in this instance.
united-kingdom security privacy gdpr
asked Nov 14 at 15:44
Workplace GDPR
142
New contributor
Workplace GDPR is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
At my current place of work a phishing e-mail was sent from an employee's e-mail address (Let's call them Sally). An e-mail originating from Sally's account was sent to everyone's work e-mail within the organisation, it was made aware to everyone within the company that this was a phishing e-mail after the fact and that Sally's account was compromised.
The exact same e-mail was also sent to multiple employees' personal e-mail addresses as well, which means that whomever gained access to Sally's account now has my and others personal e-mail address.
What is a company's responsibility regarding private information of an individual in the case of an unauthorised attacker gaining this information and has GDPR or any other relevant data privacy legislation been breached by the company in this instance.
united-kingdom security privacy gdpr
united-kingdom security privacy gdpr
asked Nov 14 at 15:44
Workplace GDPR
142
New contributor
Workplace GDPR is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked Nov 14 at 15:44
Workplace GDPR
142
New contributor
Workplace GDPR is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked Nov 14 at 15:44
Workplace GDPR
142
New contributor
Workplace GDPR is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked Nov 14 at 15:44
Workplace GDPR
142
asked Nov 14 at 15:44
Workplace GDPR
142
142
New contributor
Workplace GDPR is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Workplace GDPR is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Workplace GDPR is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
put on hold as off-topic by Summer, rath, gnat, solarflare, gazzz0x2z Nov 16 at 17:25
This question appears to be off-topic. The users who voted to close gave this specific reason:
- "Questions seeking advice on company-specific regulations, agreements, or policies should be directed to your manager or HR department. Questions that address only a specific company or position are of limited use to future visitors. Questions seeking legal advice should be directed to legal professionals. For more information, click here." – Summer, rath, gnat, solarflare, gazzz0x2z
If this question can be reworded to fit the rules in the help center, please edit the question.
put on hold as off-topic by Summer, rath, gnat, solarflare, gazzz0x2z Nov 16 at 17:25
This question appears to be off-topic. The users who voted to close gave this specific reason:
- "Questions seeking advice on company-specific regulations, agreements, or policies should be directed to your manager or HR department. Questions that address only a specific company or position are of limited use to future visitors. Questions seeking legal advice should be directed to legal professionals. For more information, click here." – Summer, rath, gnat, solarflare, gazzz0x2z
If this question can be reworded to fit the rules in the help center, please edit the question.
1
Why do you assume company have any responsibility regarding private data?
– SZCZERZO KŁY
Nov 14 at 15:51
2
This is probably better placed on law.se, since you're asking about a company's legal responsibilities.
– berry120
Nov 14 at 16:03
Email addresses are not private. I'm not sure what level of privacy you can reasonably expect from something that's given out to nearly every website you have registered with.
– Terry Carmen
Nov 14 at 17:04
add a comment |
1
Why do you assume company have any responsibility regarding private data?
– SZCZERZO KŁY
Nov 14 at 15:51
2
This is probably better placed on law.se, since you're asking about a company's legal responsibilities.
– berry120
Nov 14 at 16:03
Email addresses are not private. I'm not sure what level of privacy you can reasonably expect from something that's given out to nearly every website you have registered with.
– Terry Carmen
Nov 14 at 17:04
1
1
Why do you assume company have any responsibility regarding private data?
– SZCZERZO KŁY
Nov 14 at 15:51
Why do you assume company have any responsibility regarding private data?
– SZCZERZO KŁY
Nov 14 at 15:51
2
2
This is probably better placed on law.se, since you're asking about a company's legal responsibilities.
– berry120
Nov 14 at 16:03
This is probably better placed on law.se, since you're asking about a company's legal responsibilities.
– berry120
Nov 14 at 16:03
Email addresses are not private. I'm not sure what level of privacy you can reasonably expect from something that's given out to nearly every website you have registered with.
– Terry Carmen
Nov 14 at 17:04
Email addresses are not private. I'm not sure what level of privacy you can reasonably expect from something that's given out to nearly every website you have registered with.
– Terry Carmen
Nov 14 at 17:04
add a comment |
1 Answer
1
active
oldest
votes
up vote
6
down vote
It depends entirely on the context in which "Sally" had your personal email:
If the reason "Sally" had your personal e-mail address was because the company (or Sally acting on behalf of the company) had specifically requested it (say she was working in HR and it comprised part of your employee contact details or something) then they would be considered the "processor" for that Personally Identifying Information (PII) and this could be considered a breach and they would have to notify the ICO although any further steps they may or may not need to take will depend upon what the ICO say and the percieved level of risk to the affected individuals.
If however "Sally" had these personal addresses for non-company purposes then it's not that your employer was acting as a "processor" for the data and therefore they have no obligations under GDPR.
answered Nov 14 at 16:08
motosubatsu
39.2k18101163
Thanks, Sally did indeed have my e-mail as part of her role when recruiting me to the company.
– Workplace GDPR
Nov 14 at 16:29
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
6
down vote
It depends entirely on the context in which "Sally" had your personal email:
If the reason "Sally" had your personal e-mail address was because the company (or Sally acting on behalf of the company) had specifically requested it (say she was working in HR and it comprised part of your employee contact details or something) then they would be considered the "processor" for that Personally Identifying Information (PII) and this could be considered a breach and they would have to notify the ICO although any further steps they may or may not need to take will depend upon what the ICO say and the percieved level of risk to the affected individuals.
If however "Sally" had these personal addresses for non-company purposes then it's not that your employer was acting as a "processor" for the data and therefore they have no obligations under GDPR.
answered Nov 14 at 16:08
motosubatsu
39.2k18101163
Thanks, Sally did indeed have my e-mail as part of her role when recruiting me to the company.
– Workplace GDPR
Nov 14 at 16:29
add a comment |
up vote
6
down vote
It depends entirely on the context in which "Sally" had your personal email:
If the reason "Sally" had your personal e-mail address was because the company (or Sally acting on behalf of the company) had specifically requested it (say she was working in HR and it comprised part of your employee contact details or something) then they would be considered the "processor" for that Personally Identifying Information (PII) and this could be considered a breach and they would have to notify the ICO although any further steps they may or may not need to take will depend upon what the ICO say and the percieved level of risk to the affected individuals.
If however "Sally" had these personal addresses for non-company purposes then it's not that your employer was acting as a "processor" for the data and therefore they have no obligations under GDPR.
answered Nov 14 at 16:08
motosubatsu
39.2k18101163
Thanks, Sally did indeed have my e-mail as part of her role when recruiting me to the company.
– Workplace GDPR
Nov 14 at 16:29
add a comment |
up vote
6
down vote
up vote
6
down vote
It depends entirely on the context in which "Sally" had your personal email:
If the reason "Sally" had your personal e-mail address was because the company (or Sally acting on behalf of the company) had specifically requested it (say she was working in HR and it comprised part of your employee contact details or something) then they would be considered the "processor" for that Personally Identifying Information (PII) and this could be considered a breach and they would have to notify the ICO although any further steps they may or may not need to take will depend upon what the ICO say and the percieved level of risk to the affected individuals.
If however "Sally" had these personal addresses for non-company purposes then it's not that your employer was acting as a "processor" for the data and therefore they have no obligations under GDPR.
answered Nov 14 at 16:08
motosubatsu
39.2k18101163
It depends entirely on the context in which "Sally" had your personal email:
If the reason "Sally" had your personal e-mail address was because the company (or Sally acting on behalf of the company) had specifically requested it (say she was working in HR and it comprised part of your employee contact details or something) then they would be considered the "processor" for that Personally Identifying Information (PII) and this could be considered a breach and they would have to notify the ICO although any further steps they may or may not need to take will depend upon what the ICO say and the percieved level of risk to the affected individuals.
If however "Sally" had these personal addresses for non-company purposes then it's not that your employer was acting as a "processor" for the data and therefore they have no obligations under GDPR.
answered Nov 14 at 16:08
motosubatsu
39.2k18101163
answered Nov 14 at 16:08
motosubatsu
39.2k18101163
answered Nov 14 at 16:08
motosubatsu
39.2k18101163
answered Nov 14 at 16:08
motosubatsu
39.2k18101163
39.2k18101163
Thanks, Sally did indeed have my e-mail as part of her role when recruiting me to the company.
– Workplace GDPR
Nov 14 at 16:29
add a comment |
Thanks, Sally did indeed have my e-mail as part of her role when recruiting me to the company.
– Workplace GDPR
Nov 14 at 16:29
Thanks, Sally did indeed have my e-mail as part of her role when recruiting me to the company.
– Workplace GDPR
Nov 14 at 16:29
Thanks, Sally did indeed have my e-mail as part of her role when recruiting me to the company.
– Workplace GDPR
Nov 14 at 16:29
add a comment |
1
Why do you assume company have any responsibility regarding private data?
– SZCZERZO KŁY
Nov 14 at 15:51
2
This is probably better placed on law.se, since you're asking about a company's legal responsibilities.
– berry120
Nov 14 at 16:03
Email addresses are not private. I'm not sure what level of privacy you can reasonably expect from something that's given out to nearly every website you have registered with.
– Terry Carmen
Nov 14 at 17:04