Personal e-mail obtained due to compromised work account (GDPR) [on hold]
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty{ margin-bottom:0;
}
up vote
2
down vote
favorite
At my current place of work a phishing e-mail was sent from an employee's e-mail address (Let's call them Sally). An e-mail originating from Sally's account was sent to everyone's work e-mail within the organisation, it was made aware to everyone within the company that this was a phishing e-mail after the fact and that Sally's account was compromised.
The exact same e-mail was also sent to multiple employees' personal e-mail addresses as well, which means that whomever gained access to Sally's account now has my and others personal e-mail address.
What is a company's responsibility regarding private information of an individual in the case of an unauthorised attacker gaining this information and has GDPR or any other relevant data privacy legislation been breached by the company in this instance.
united-kingdom security privacy gdpr
asked 2 days ago
Workplace GDPR
162
New contributor
Workplace GDPR is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
put on hold as off-topic by Summer, rath, gnat, solarflare, gazzz0x2z 17 hours ago
This question appears to be off-topic. The users who voted to close gave this specific reason:
- "Questions seeking advice on company-specific regulations, agreements, or policies should be directed to your manager or HR department. Questions that address only a specific company or position are of limited use to future visitors. Questions seeking legal advice should be directed to legal professionals. For more information, click here." – Summer, rath, gnat, solarflare, gazzz0x2z
If this question can be reworded to fit the rules in the help center, please edit the question.
add a comment |
up vote
2
down vote
favorite
At my current place of work a phishing e-mail was sent from an employee's e-mail address (Let's call them Sally). An e-mail originating from Sally's account was sent to everyone's work e-mail within the organisation, it was made aware to everyone within the company that this was a phishing e-mail after the fact and that Sally's account was compromised.
The exact same e-mail was also sent to multiple employees' personal e-mail addresses as well, which means that whomever gained access to Sally's account now has my and others personal e-mail address.
What is a company's responsibility regarding private information of an individual in the case of an unauthorised attacker gaining this information and has GDPR or any other relevant data privacy legislation been breached by the company in this instance.
united-kingdom security privacy gdpr
asked 2 days ago
Workplace GDPR
162
New contributor
Workplace GDPR is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
put on hold as off-topic by Summer, rath, gnat, solarflare, gazzz0x2z 17 hours ago
This question appears to be off-topic. The users who voted to close gave this specific reason:
- "Questions seeking advice on company-specific regulations, agreements, or policies should be directed to your manager or HR department. Questions that address only a specific company or position are of limited use to future visitors. Questions seeking legal advice should be directed to legal professionals. For more information, click here." – Summer, rath, gnat, solarflare, gazzz0x2z
If this question can be reworded to fit the rules in the help center, please edit the question.
1
Why do you assume company have any responsibility regarding private data?
– SZCZERZO KŁY
2 days ago
2
This is probably better placed on law.se, since you're asking about a company's legal responsibilities.
– berry120
2 days ago
Email addresses are not private. I'm not sure what level of privacy you can reasonably expect from something that's given out to nearly every website you have registered with.
– Terry Carmen
2 days ago
add a comment |
up vote
2
down vote
favorite
up vote
2
down vote
favorite
At my current place of work a phishing e-mail was sent from an employee's e-mail address (Let's call them Sally). An e-mail originating from Sally's account was sent to everyone's work e-mail within the organisation, it was made aware to everyone within the company that this was a phishing e-mail after the fact and that Sally's account was compromised.
The exact same e-mail was also sent to multiple employees' personal e-mail addresses as well, which means that whomever gained access to Sally's account now has my and others personal e-mail address.
What is a company's responsibility regarding private information of an individual in the case of an unauthorised attacker gaining this information and has GDPR or any other relevant data privacy legislation been breached by the company in this instance.
united-kingdom security privacy gdpr
asked 2 days ago
Workplace GDPR
162
New contributor
Workplace GDPR is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
At my current place of work a phishing e-mail was sent from an employee's e-mail address (Let's call them Sally). An e-mail originating from Sally's account was sent to everyone's work e-mail within the organisation, it was made aware to everyone within the company that this was a phishing e-mail after the fact and that Sally's account was compromised.
The exact same e-mail was also sent to multiple employees' personal e-mail addresses as well, which means that whomever gained access to Sally's account now has my and others personal e-mail address.
What is a company's responsibility regarding private information of an individual in the case of an unauthorised attacker gaining this information and has GDPR or any other relevant data privacy legislation been breached by the company in this instance.
united-kingdom security privacy gdpr
united-kingdom security privacy gdpr
asked 2 days ago
Workplace GDPR
162
New contributor
Workplace GDPR is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 2 days ago
Workplace GDPR
162
New contributor
Workplace GDPR is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 2 days ago
Workplace GDPR
162
New contributor
Workplace GDPR is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 2 days ago
Workplace GDPR
162
asked 2 days ago
Workplace GDPR
162
162
New contributor
Workplace GDPR is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Workplace GDPR is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Workplace GDPR is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
put on hold as off-topic by Summer, rath, gnat, solarflare, gazzz0x2z 17 hours ago
This question appears to be off-topic. The users who voted to close gave this specific reason:
- "Questions seeking advice on company-specific regulations, agreements, or policies should be directed to your manager or HR department. Questions that address only a specific company or position are of limited use to future visitors. Questions seeking legal advice should be directed to legal professionals. For more information, click here." – Summer, rath, gnat, solarflare, gazzz0x2z
If this question can be reworded to fit the rules in the help center, please edit the question.
put on hold as off-topic by Summer, rath, gnat, solarflare, gazzz0x2z 17 hours ago
This question appears to be off-topic. The users who voted to close gave this specific reason:
- "Questions seeking advice on company-specific regulations, agreements, or policies should be directed to your manager or HR department. Questions that address only a specific company or position are of limited use to future visitors. Questions seeking legal advice should be directed to legal professionals. For more information, click here." – Summer, rath, gnat, solarflare, gazzz0x2z
If this question can be reworded to fit the rules in the help center, please edit the question.
1
Why do you assume company have any responsibility regarding private data?
– SZCZERZO KŁY
2 days ago
2
This is probably better placed on law.se, since you're asking about a company's legal responsibilities.
– berry120
2 days ago
Email addresses are not private. I'm not sure what level of privacy you can reasonably expect from something that's given out to nearly every website you have registered with.
– Terry Carmen
2 days ago
add a comment |
1
Why do you assume company have any responsibility regarding private data?
– SZCZERZO KŁY
2 days ago
2
This is probably better placed on law.se, since you're asking about a company's legal responsibilities.
– berry120
2 days ago
Email addresses are not private. I'm not sure what level of privacy you can reasonably expect from something that's given out to nearly every website you have registered with.
– Terry Carmen
2 days ago
1
1
Why do you assume company have any responsibility regarding private data?
– SZCZERZO KŁY
2 days ago
Why do you assume company have any responsibility regarding private data?
– SZCZERZO KŁY
2 days ago
2
2
This is probably better placed on law.se, since you're asking about a company's legal responsibilities.
– berry120
2 days ago
This is probably better placed on law.se, since you're asking about a company's legal responsibilities.
– berry120
2 days ago
Email addresses are not private. I'm not sure what level of privacy you can reasonably expect from something that's given out to nearly every website you have registered with.
– Terry Carmen
2 days ago
Email addresses are not private. I'm not sure what level of privacy you can reasonably expect from something that's given out to nearly every website you have registered with.
– Terry Carmen
2 days ago
add a comment |
1 Answer
1
active
oldest
votes
up vote
6
down vote
It depends entirely on the context in which "Sally" had your personal email:
If the reason "Sally" had your personal e-mail address was because the company (or Sally acting on behalf of the company) had specifically requested it (say she was working in HR and it comprised part of your employee contact details or something) then they would be considered the "processor" for that Personally Identifying Information (PII) and this could be considered a breach and they would have to notify the ICO although any further steps they may or may not need to take will depend upon what the ICO say and the percieved level of risk to the affected individuals.
If however "Sally" had these personal addresses for non-company purposes then it's not that your employer was acting as a "processor" for the data and therefore they have no obligations under GDPR.
answered 2 days ago
motosubatsu
38.8k18101162
Thanks, Sally did indeed have my e-mail as part of her role when recruiting me to the company.
– Workplace GDPR
2 days ago
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
6
down vote
It depends entirely on the context in which "Sally" had your personal email:
If the reason "Sally" had your personal e-mail address was because the company (or Sally acting on behalf of the company) had specifically requested it (say she was working in HR and it comprised part of your employee contact details or something) then they would be considered the "processor" for that Personally Identifying Information (PII) and this could be considered a breach and they would have to notify the ICO although any further steps they may or may not need to take will depend upon what the ICO say and the percieved level of risk to the affected individuals.
If however "Sally" had these personal addresses for non-company purposes then it's not that your employer was acting as a "processor" for the data and therefore they have no obligations under GDPR.
answered 2 days ago
motosubatsu
38.8k18101162
Thanks, Sally did indeed have my e-mail as part of her role when recruiting me to the company.
– Workplace GDPR
2 days ago
add a comment |
up vote
6
down vote
It depends entirely on the context in which "Sally" had your personal email:
If the reason "Sally" had your personal e-mail address was because the company (or Sally acting on behalf of the company) had specifically requested it (say she was working in HR and it comprised part of your employee contact details or something) then they would be considered the "processor" for that Personally Identifying Information (PII) and this could be considered a breach and they would have to notify the ICO although any further steps they may or may not need to take will depend upon what the ICO say and the percieved level of risk to the affected individuals.
If however "Sally" had these personal addresses for non-company purposes then it's not that your employer was acting as a "processor" for the data and therefore they have no obligations under GDPR.
answered 2 days ago
motosubatsu
38.8k18101162
Thanks, Sally did indeed have my e-mail as part of her role when recruiting me to the company.
– Workplace GDPR
2 days ago
add a comment |
up vote
6
down vote
up vote
6
down vote
It depends entirely on the context in which "Sally" had your personal email:
If the reason "Sally" had your personal e-mail address was because the company (or Sally acting on behalf of the company) had specifically requested it (say she was working in HR and it comprised part of your employee contact details or something) then they would be considered the "processor" for that Personally Identifying Information (PII) and this could be considered a breach and they would have to notify the ICO although any further steps they may or may not need to take will depend upon what the ICO say and the percieved level of risk to the affected individuals.
If however "Sally" had these personal addresses for non-company purposes then it's not that your employer was acting as a "processor" for the data and therefore they have no obligations under GDPR.
answered 2 days ago
motosubatsu
38.8k18101162
It depends entirely on the context in which "Sally" had your personal email:
If the reason "Sally" had your personal e-mail address was because the company (or Sally acting on behalf of the company) had specifically requested it (say she was working in HR and it comprised part of your employee contact details or something) then they would be considered the "processor" for that Personally Identifying Information (PII) and this could be considered a breach and they would have to notify the ICO although any further steps they may or may not need to take will depend upon what the ICO say and the percieved level of risk to the affected individuals.
If however "Sally" had these personal addresses for non-company purposes then it's not that your employer was acting as a "processor" for the data and therefore they have no obligations under GDPR.
answered 2 days ago
motosubatsu
38.8k18101162
answered 2 days ago
motosubatsu
38.8k18101162
answered 2 days ago
motosubatsu
38.8k18101162
answered 2 days ago
motosubatsu
38.8k18101162
38.8k18101162
Thanks, Sally did indeed have my e-mail as part of her role when recruiting me to the company.
– Workplace GDPR
2 days ago
add a comment |
Thanks, Sally did indeed have my e-mail as part of her role when recruiting me to the company.
– Workplace GDPR
2 days ago
Thanks, Sally did indeed have my e-mail as part of her role when recruiting me to the company.
– Workplace GDPR
2 days ago
Thanks, Sally did indeed have my e-mail as part of her role when recruiting me to the company.
– Workplace GDPR
2 days ago
add a comment |
1
Why do you assume company have any responsibility regarding private data?
– SZCZERZO KŁY
2 days ago
2
This is probably better placed on law.se, since you're asking about a company's legal responsibilities.
– berry120
2 days ago
Email addresses are not private. I'm not sure what level of privacy you can reasonably expect from something that's given out to nearly every website you have registered with.
– Terry Carmen
2 days ago