Guides & articles Is revealing my email address a breach of GDPR?

Peter Hammond I am a solicitor who has specialised in data breach compensation claims.
Is revealing my email address a breach of GDPR?

Although your e-mail address is personal, private, and confidential, revealing it is not necessarily a breach of GDPR. In order for a revealed email address to be considered a breach of GDPR the e-mail address has to fall into a specific category, namely one of the following:

  • A personal e-mail address such as Gmail, Yahoo, or Hotmail
  • A company email address that includes your full name such as firstname.lastname@company.com

If the revealed e-mail address does not fall into one of these categories, then there is no case of GDPR or data breach. That means that admin@, info@, and similar business addresses do not fall into a protected category by GDPR. These are public knowledge and accessible by anyone.

However, when a personal email address or e-mail address containing PII (Personal Identifiable Information) is widely distributed or leaked it opens up the recipient to spam and viruses, as well as unwanted attention and easier ways to track the owner. When the e-mail address contains PII, be it a personal or business email address, this can also become dangerous if the information falls into the wrong hands.

How do email addresses get shared?

When you give your email address to a company you are entrusting them with personal information. This might be to sign up to something, enter a competition, join a mailing list, or even receive quotes or other information. Prior to the implementation of GDPR and the Data Protection Act of 2018, this information could be more easily shared with other companies who would pay for good email addresses for marketing purposes. Thankfully, new laws mean that companies cannot share your information without your express consent.

So how does an e-mail address get revealed at all?

There are different ways that your email address may have been leaked, and not all of them are malicious or intended – however, they are still an abuse of your rights and a breach of GDPR. Some of the offences include:

  • Using the CC (carbon copy) field in emails instead of the BCC (blind carbon copy) field, meaning all addresses are visible to all recipients
  • Accidentally sending information to the wrong email address. This is especially prevalent where an autofill has been used to address an email.
  • Forwarding an email chain without checking all personal and private information has been removed from the visible content
  • E-mail addresses and other data not being stored correctly or safely so it is more easily hacked
  • Disgruntled employees or criminal activity within companies where e-mail addresses are stolen or copied and shared outside the company

What can I do if my email has been revealed?

How you respond to your leaked or revealed e-mail address is usually up to you and is based on the severity of the breach. For instance, if your email address was leaked in a group of email addresses for people with certain medical conditions then the severity of the leak or breach is much worse than if your email address was revealed in a general information mailing list where you were CC’d instead of being BCC’d.

If you feel that the revelation or breach is serious then you should start by reporting it to the company directly. You may find that they are willing to make reparations immediately or were not even aware of the problem. The company or person who revealed your email address is then responsible for reporting the breach to the supervisory authority within 72 hours of finding out about it. 

The supervisory authority will then investigate and will usually decide on the suitable disciplinary actions to be taken out, if necessary.

You can also ask to see the correspondence between the company and the supervisory authority as it pertains to you and your information.

This is all laid out in Article 33 of GDPR terms.

If you still feel that you have suffered injury or damage because your email address was revealed then you may be able to take the matter further. If someone else having access to your email address has resulted in measurable psychological or financial damage, then you may be able to claim compensation if you can prove that the injury or damage were directly linked to the data breach. 

How we can help with an e-mail GDPR violation

If your information has been leaked and you have suffered as a result, possibly through harassment, hacking, or other abuse of your e-mail address, then you are probably feeling vulnerable and uncertain. At Data Breach Claims we put you back in control and put you in contact with one of the best data breach solicitors in the UK. 

They will offer a free initial consultation to help you decide if your case is worth pursuing, and work on a No-win, No-fee basis. Our goal is to give you the best possible result.

Check free if you're owed an average £4,000 refund

Start My FREE Data Breach Claim 100% Safe & secure, no win no fee check