1

A short question and scenario.

Company X receives by mistake invoice of Company Y ( there is no relation between them ). Company X is reporting the case to Controller : - invoice is not mine , please send it in the right place.

Y's Invoice contains a name and surname of a employee working in this company.

Would this personal data detail count as a data breach ? should company Y be informed about this breach?

Br

GDPR_noob
  • 11
  • 2
  • From a language standpoint, this is not a *data breach* but a *data leak*. –  Dec 05 '18 at 13:14
  • in the context of invoices , sometimes employee names are indeed mentioned or as a short reference. my main concern is this scenario bound to this 72 h Notification of a personal data breach to the supervisory authority. if the invoice is of an individual that's quite clear , it should count as a issue , but since the companies are not individuals , how should i treat these from GDPR point of view. the info exist only in paper form , mentioned on the invoice but is not part of the metadata our company is working with. – GDPR_noob Dec 05 '18 at 13:31

2 Answers2

1

Whether the name is stored on paper or somewhere else does not matter. When you leak personal identifiable information (PII), which a name and surname are, it is regarded a data leak. This is what is a data breach under GDPR article 4:

‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

Article 33 states the following regarding the mandatory notification:

In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. [...]

Just a name and surename is unlikely to result in a risk for the individual and it is therefor not mandatory to notify the supervisory authority. Please note this might be different depending on the area where you work, an invoice for renting a pornographic movie for example might be harmful to someone. In the end, you are faced with a decision regarding the severity of the incident and if you should report it or not.

As you can read here, you should be asking yourself the following questions to determine if you need to file a report or not.

  • What Happened? What kind of incident was this, did you leave an AWS bucket with all of your users financial data protected or did you just send the wrong customer the wrong email?
  • How many people were affected? Is this a large-scale breach or is it limited to just a handful of people. Most literature around GDPR puts the cut off for “large-scale” at 500 data subjects.
  • What personal data was compromised? Is this just a customer’s name and email address? Or is it more sensitive data like financial information or special categories of personal data?
  • What is the risk to the affected data subjects? Worst case scenario, what could be done with this information to harm the data subject either financially, materially or reputationally?
  • What caused this situation? Was it an attacker exploiting your security? Was this a technical mistake? Human error?
  • How easily can this issue be mitigated? Will this take months to fix or is this just a simple tweak? When will you be able to accomplish this?

If you can answer those questions, you should be able to weigh what risks this personal data breach could pose to those affected and whether or not this incident rises to the level of reporting.

Kevin
  • 1,643
  • 9
  • 20
0

Good answer by Kevin Voorn, but I would like to add a couple of things. Whether your employees' full names are usually in the public domain has a bearing on whether this is a leak/breach or not. Also how serious this is depends somewhat on the other data that can be inferred from the invoice. Let me give you an example:

  • Alison Smitherton is the employee in question, and from the rest of the invoice content it can be inferred which office she usually works from. Ubnfortunately, Alison is also a victim of domestic violence, and recently moved to a different office to escape her ex, who she met at work. He knows someone who works in the company that recieved the invoice in error, and for some reason his friend told him about the invoice content. Her violent ex now knows where she works and what area of the country she lives in. He could chose to stalk her at her new workplace, and she could be in real physical danger because of this invoice error.

Ok, I admit this is an extreme case, but it's not beyond the realms of possibility, just extremely unlikely. A UK police force was fined quite a bit after accidentally leaking the location of a domestic violence victim, who was then attacked. The fine was pretty large, due to the seriousness of the problems that ensued.

If, due to the nature of your business, your employees names aren't usually in the public domain for whatever reason, then it's also more serious. In this case, though, it may well be time for a review of what content goes on your standard invoices in order to prevent future problems.

Emily G
  • 1
  • 3