Email sent to wrong recipient? Avoid getting fined

Sending an email to the wrong recipient can trigger privacy risks, and even sanctions, especially if the email contained attachments or other content with personal data. Here’s a brief analysis on how to limit the risk of sanctions and avoid getting fined in case of an email sent to the wrong recipient.

Recent cases

On 21.05.2020 the Data Protection Supervisory Authority of Romania (ANSPDCP) finalized an investigation with an energy operator who accidentally send an email containing personal data of a customer to the wrong recipient and found that it violated the provisions of art. 32 of the GDPR, regarding the security of the processing.

The operator was sanctioned with a fine of 19368.4 lei, the equivalent of 4,000 EURO.

The investigation was initiated as a result of a complaint issued by a customer who was informed of the violation of security and confidentiality of his personal data, by the data controller. The company accidentally transmitted, via email, the personal data of a client (name and surname, address, e-mail address, client code and eneltel code) to another client, who was not entitled to receive such information.

During the investigation, the National Supervisory Authority found that the operator did not take sufficient security and confidentiality measures to prevent accidental disclosure of personal data to unauthorized persons , violating the provisions of art. 32 of the GDPR.

The operator was therefore sanctioned because it did not implement adequate technical and organizational measures in order to ensure a level of security corresponding to the risk of the processing generated especially, by the unauthorized disclosure or the unauthorized access to personal data.

At the same time, the corrective measure was applied to the operator Enel Energie Muntenia SA, according to the provisions of art. 58 paragraph (2) i) of the GDPR.

Thus, the operator was obliged to implement the appropriate and adequate security measures, both technical and organizational, within 30 working days of the communication.

Prevention & Remediation measures

Sending an email to the wrong recipient is one of the most recurring case of databreach, hence chances are it may happen to you too. So here’s a list of suggestions regarding safeguards to prevent the error, and try to limit its risks in case it happens.

1: Technical security measures

  • Recall the email: yes, in theory you can do that if you instantly become aware of the mistake, however based on the timing of the discovery and conditions and procedures of the different email service providers, you may actually not be able to avoid your message getting – wrongfully- delivered. In case you wish to give it a try, here’s a how-to guide. PROS: easy, generally free CONS: might not be effective
  • Adopt a data loss prevention software. Seriously, do it. Although not specifically aimed at preventing material errors by the sender, a Data loss prevention software detects potential data breaches/data ex-filtration transmissions and prevents them by monitoring, detecting and blocking sensitive data while in use (endpoint actions), in motion (network traffic), and at rest (data storage). It can feature advanced security measures which employ machine learning and temporal reasoning algorithms to detect abnormal access to data (e.g., databases or information retrieval systems) or abnormal email exchangehoneypots for detecting authorized personnel with malicious intentions and activity-based verification (e.g., recognition of keystroke dynamics) and user activity monitoring for detecting abnormal data access. It can become super useful if the breach is not consequence of a mere error… PROS: effective technology CONS: cannot prevent material errors, expensive.
  • Avoid including personal data in the body of the message and encrypt attachment files, then send the decrypting password through a different email (making the same mistake twice, can happen, less probable though) or a different channel (e.g. SMS message, in app notification). PROS: can effectively limit the risk of a databreach CONS: adds burdens to communication, makes it slower, however you can use in-mail add-ins to make it way faster.

2: Organizational measures

  • Train your employees: yes, that’s so important. The databreach lies between the fingers of your employee ready to send an email without double-checking if the email address is correct. You may wish to give them a proper training, pointing out the risks and pains which can arise from such an inaccurate move.
  • Get in contact with the recipient: once an email has been successfully sent, there is no way to call back or delete it from recipient inbox. Still you can get into contact with the unintentional recipient explaining that the email was a mistake, and ask them to not read the message – if that’s still possible.
  • Take note: study what happened and what fault caused the incident, in order to plan some follow-up action to limit the possibility it happens again. Document this process. It will be an aid to your defense in case of an investigation by the data protection authorities.

In any case, as a data controller you should carry out a databreach severity assessment in order to assess if the incident shall be communicated to the data subjects involved or notified to the supervisory authority. We built an automatic tool to do that for you, taking into account the EU (ENISA + EDPB) standards. If you wish to know more, get in contact here.


In the next TechnoLawgy post we will assess how to handle a databreach once it happens and how to evaluate whether it shall be notified to the Supervisory Authority. Meanwhile you may fancy a look here: DATA BREACH NOTIFICATION: NEW PROCEDURE ADOPTED IN ITALY also you can find the dedicated #databreach podcast here.

For more info drop me a line via Twitter –  Fb or Telegram  

If you think this information is valuable share it on your #SocialMedia, Be Influent!

Also don’t miss our Telegram channel @TechnoLawgy for the latest #Privacy and #LegalTech news!


Handling a DataBreach during Covid-19


Simple. Because data breaches happen every day. Therefore being able to handle a databreach, especially during covid19 emergency, is crucial.

Since 25 May 2018 to 31 March 2020, 2,368 breaches were notified to the Data Protection Supervisor, with a peak between 30 September and 31 December 2019 of 553 notifications followed in the latest period (i.e. from January to March) by 295 notifications. This does not mean, however, that this number actually corresponds to the number of data breaches suffered because, as we will see below, not all breaches must be notified.

In this post we will assess how to prevent a databreach.

The current cybersecurity scenario

The most recent report by Clusit – Italian Association for Information Security, which reported how – in 2019 alone – about 1670 cyber attacks occurred in Italy, with a growth percentage of 7.6% compared to 2018 and 91.2% compared to 2014. This percentage, however, refers only to real attacks, i.e. those that have overcome all the existing defenses adopted by data controllers or data processors and have therefore caused significant damage, without considering failed and/or blocked attack attempts. The report also highlights that those affected by cyber attacks belong to the most varied categories, from companies providing online or cloud services to telcos, from the retail sector to the chemical/pharmaceutical or banking sector. This shows that no company processing personal data is immune from this type of danger.

Risks during emergency periods

Today, moreover, there is a further reason to talk about data breaches: as we will see in more detail, the emergency situation we are experiencing prevents – at least at the moment – all workers from going to their offices, so that many of these workers are turning to the remote working mode, which involves significant risks.


First of all, it should be pointed out that most data breaches are caused either by the adoption of insufficient technical security measures or by real human errors. It therefore one of the most effective ways of avoiding this is to adopt, as required by the legislation, security measures – both technical and organisational – that are appropriate.
Now, the concept of adequacy is certainly mutable, since – unlike in the past – the GDPR does not indicate minimum measures to be taken to ensure data security, but on the contrary, it requires the controller to make a case-by-case assessment of what is actually adequate, taking into account

  • the state of the art and the costs of implementing the measures it intends to adopt,
  • the nature, object, context and purposes of the processing,
  • risks to the rights and freedoms of natural persons.

Organizational measures

In this context, from an organisational point of view, an internal privacy compliance model is certainly essential. It is therefore necessary to identify the individuals who have a privacy role . In this context, it is very often assumed that the appointment of a Data Protection Officer is sufficient, but this is not the case. If the appointment of a DPO is necessary with respect to certain activities related to the data controller, this does not mean that the DPO should be called upon to ensure the privacy compliance of the data controller, as is often the case. On the contrary, the DPO plays the role of advisor and controller of the controller’s activities, providing advice and suggestions, but then the final decision is up to the controller, who must therefore be well aware of the risks arising from its choices.
This policy, depending on the circumstances, must identify the roles assigned to each person processing personal data and consequently the obligations and instructions applicable to them. In this context, fundamental precautions become both (i) ensuring that the procedures adopted are made known to the entire company population and (ii) that they are well understood also through training activities for employees and collaborators.

Technical measures for remote working

In addition to this, there are all the technical security measures that the owner must adopt, and GDPR, for example, refers merely to the pseudonymisation and encryption of personal data, however their suitability must again be assessed on the basis of the actual processing.

Many authorities and institutions, such as the Department of Public Administration, ENISA and the Irish Data Protection Supervisor, have provided suggestions and guidelines on practices to be followed to ensure IT security in remote working. From a technical point of view, the main solutions that the employer can use are:

  • the activation of a VPN connection, i.e. that “secure” communication channel between the remote device and the company, through which applications and company data can be accessed directly;
  • the setting up of a remote device management system, with which the company’s IT technicians can monitor and manage any problems, after assessing the privacy compatibility of these tools with the provisions of the Workers’ Statute;
  • the use of ACL (Access Control List) systems, particularly effective in limiting the risk of unauthorized access, dissemination, loss and destruction of data.


In addition to technical measures, employee awareness and training are essential to stay up to date with the latest threats. In particular, adequate information about certain essential security concepts should be provided:

  • secure wifi connection; most wifi systems at home today are properly protected, but some older installations may not be. With an unsecured connection, people nearby can snoop around in network traffic;
  • updated security software and antivirus system; PC security tools such as privacy tools, browser add-ons, etc. need to be updated. Patch levels and system updates must be checked regularly;
  • regular backups; all important files must be backed up regularly. In the event of a computer attack, for example, the entire contents of a device could be lost without a backup.

In addition, employers can take action to optimize organizational management in case of incidents or risks, for example by providing a specific procedure to employees on how to react in case of problems and giving appropriate priority to support for remote access solutions, including through the establishment of special shifts for support staff.


In the next TechnoLawgy post we will assess how to handle a databreach once it happens and how to evaluate whether it shall be notified to the Supervisory Authority. Meanwhile you may fancy a look here: DATA BREACH NOTIFICATION: NEW PROCEDURE ADOPTED IN ITALY also you can find the dedicated #databreach podcast here.

For more info drop me a line via Twitter –  Fb or Telegram  

If you think this information is valuable share it on your #SocialMedia, Be Influent!

Also don’t miss my Telegram channel @TechnoLawgy for the latest #Privacy and #LegalTech news!


🔐EU Cybersecurity Act adopted by European Parliament🆕

EU Cybersecurity Act: text approved

As recently posted on the official EU website, on tuesday 12/03/2019, the EU Parliament adopted the EU Cybersecurity Act with 586 votes to 44 and 36 abstentions. It establishes the first EU-wide cybersecurity certification scheme to ensure that certified products, processes and services sold in EU countries meet cybersecurity standards.

Continua a leggere