The DPC received a complaint from an individual concerning an alleged disclosure of the complainant’s personal data by a local authority. The complainant alleged that the local authority had disclosed the complainant’s name, postal address and information relating to the housing assistance payment in error to a third party. The individual had been informed by the local authority that this disclosure had occurred. However, the individual was dissatisfied with the actions taken by the local authority in response to the disclosure and did not wish to engage further with the local authority with a view to seeking an amicable resolution of the complaint.

The DPC examined the complaint and contacted the local authority in order to seek further information regarding the individual’s allegations. The local authority confirmed to the DPC that a personal data breach had occurred when the complainant’s personal data was included, in error, in a Freedom of Information request response to a third party. In addition to the information provided by the local authority to the DPC in the context of its examination of the complaint, the incident in question was notified to the DPC by the local authority as a personal data breach, as required by Article 33 of the GDPR. In that context, the DPC engaged extensively with the local authority regarding the circumstances of the personal data breach, the data security measures in place at the time the personal data breach occurred and the mitigating measures taken by the local authority, including the local authority’s ongoing efforts to retrieve the data from the recipient.

On the basis of this information, the DPC concluded its examination of the complaint by advising the individual that the DPC was satisfied that the complainant’s personal data were not processed by the local authority in a manner that ensured appropriate security of the personal data and that an unauthorised disclosure of the complainant’s personal data, constituting a personal data breach, had occurred. On the basis of the actions that had been taken by the local authority in response to the personal data breach and, in particular, the fact that the recipient of the complainant’s personal data had returned the data to the local authority, the DPC did not consider that any further action against the local authority was warranted in relation to the subject matter of the complaint.