Over a period of 12 months, the DPC received notifications of a series of similar breaches from a data controller involved in financial matters. The controller sold services through a nationwide retail network owned and operated by a third party, which acted as its processor. The breaches occurred when existing customers of the controller made purchases at the processor’s outlets, but used an address different from the address they had previously registered with the controller.

Recent changes to the controller’s customer database systems had not been fully coordinated with those for sales, resulting in sales documents containing personal data being sent to customers’ old addresses rather than their new ones . The controller had instructed the processor not to accept purchase requests until changes of address had been registered, but some counter staff did not consistently follow the correct procedures .

When the DPC flagged the pattern of breaches, the controller agreed that there was a systemic problem that required attention by its senior management . While a technical solution was being designed and tested, the controller and processor adopted interim measures including re-training of staff, increased supervision, and a notice that appeared on screens used by processor staff when effecting sales, prompting them to confirm that the customer’s current registered address was correct . The controller implemented the changes in its IT systems to prevent sales documents being sent to incorrect customer addresses, and the recurring breaches ceased .