GDPR : personal data breach notification obligations query

TimTom

As a littleWoods Ireland customer I received this email today.

Dear xxxx,
We want to make you aware that our delivery partner, Fastway Couriers, has recently been subject to a data breach in which customer delivery information was accessed.

During the incident, which affected several companies that use Fastway Couriers, your name, postal address, email address and telephone number were accessed. No other information, such as your date of birth or payment details, was accessed. Fastway Couriers has assured us that it has secured its systems to help prevent this issue from arising again.

The information accessed is not enough on its own to fraudulently access your Littlewoods Ireland account. However, our recommendation is for customers to always maintain strong and unique passwords across all of your online accounts, including your Littlewoods Ireland account, and remain vigilant for any unusual email activity.

Ensuring the safety of your data is of utmost priority to us. If you would like further information, please call 01 805 3446 (8am to 6pm, Mon-Fri and 8am to 4pm, Sat) and our dedicated team will support you in the steps you can take.

We have reported this incident to the Data Protection Commission (Ref: BN: 21-3-141).

The Littlewoods Ireland Team

I understand that as the data processor Littlewoods Ireland are obliged to inform each affected person of the following:

A notification of a personal data breach by a controller to the DPC (which can be done through the breach notification form on the DPC’s website) must at least:
a) describe the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

b) communicate the name and contactdetailsofthedataprotectionofficer(DPO)or other contact point where more information can be obtained;

c) describe the likely consequences of the personal data breach; and

d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

I believe this email does not satisfy these obligations specifically A,C and D above.

A) The notification does not inform me of 'the categories and approximate number of data subjects concerned'

C) The notification does not inform me of 'the likely consequences of the personal data breach'. I can think of quite a few.

D) There is no mention of 'measures taken or proposed to address the' breach.

Am looking for a review of my logic above, comments please What are the likely consequences of not adhering to the personal data breach notification obligations? What can I do? Is complaining to the data commission my best option?

WhenIwasyoung

The obligation of reporting a breach to the dpc is that if a controller. However a processor can report on behalf of a controller. Fastway has reported this to the DPC. Difficult to say if it's in its capacity as a controller in their own right or as a processor on behalf of multiple controllers.
The obligation to notify you as a data subject is only when there is a high likelyhood of risk of harm. Notification to the data subject does not require all the information as provided to the DPC.
I agree with you on C and D. Likely enough info to initiate some fraud maybe together with other data.
You can complain to the DPC but also to littlewoods. You can also take direct action through initiating legal proceedings. I've no experience in how successful this may be.

BornToKill

What you’ve quoted is what the controller has to report to the DPC. That’s not to be confused with what they are required to tell the affected data subject.