Sharing Email Addresses—Is This a Data Breach Under GDPR?

Most corporate emails contain sensitive information, therefore the accidental disclosure of confidential information is a data breach under GDPR.

But when it comes to your email address itself, even though it’s considered personal information, its distribution isn’t necessarily considered a data breach under GDPR. There are a variety of factors and conditions to consider.

When Does Email Sharing Breach GDPR Requirements?

Email addresses are regarded as personal information because they can directly or indirectly identify a person. Therefore, it’s considered unlawful to share the following types of email addresses without consent:

Personal E-mail Addresses

Personal email accounts can be created via platforms such as Gmail, Outlook, or Yahoo. These accounts are used for various purposes, from subscribing to a website’s newsletter to registering an account on social media, banking, gaming, and more. Therefore, because the use of the account is unique to an individual, it can be used to directly identify the person.

Company E-mail Addresses Containing a Full Name

These email addresses are used for official company correspondence. They often follow the format of firstname.lastname@companyx.com. Because it’s very specific, it implies there’s only one John Smith working at Company X and directly identifies that person.

Under the GDPR, if a data breach occurs and exposes someone’s personal information, causing financial or psychological loss, they may seek compensation. You can also face severe penalties and fines.

Conclusion

Since the implementation of GDPR and the Data Protection Act of 2018, your personal data cannot be shared anymore without your express consent. By ensuring GDPR compliance, a company can avoid fines and ensure the security of their customers’ and employees’ personal information.