What actions should be taken when a mailing is sent to many recipients without using BCC?
ANSWER
The situation described constitutes a personal data breach as defined in Article 4(12) GDPR, i.e. the disclosure of personal data to unauthorised persons. Information on how to proceed in the event of a data breach can be found in the article: "Managing breaches – action plan", and I would also recommend using our breach severity calculator to determine whether the personal data breach described should be reported to PUODO. In the event of a personal data breach, the controller should act in accordance with the GDPR, and in particular Articles 33 and 34 GDPR, in order to minimise the consequences of the breach, which will affect any subsequent decisions of the supervisory authority.


