National Commission for Data Protection (CNPD)-Insurance company (8/5/2021)

On October 19, 2018, an employee of the controller had sent an e-mail to an uninvolved third party instead of the data subject. This occurred due to an error by the employee who had incorrectly entered the e-mail address of the data subject. In addition to the name and gender of the data subject, the e-mail also contained detailed information about the data subject’s illnesses. In addition, the attachment contained three forms relating to illnesses that the data subject had reported in connection with the conclusion of a life insurance policy.On November 29, the same incident occurred. The second misdirected e-mail contained, in addition to the data subject’s name, very specific questions about a particular pathology, the last name of the life insurance doctor, the address of said doctor, and two blank forms related to said pathology to be filled out by him or his doctor

The DPA noted that it had not been informed of the data breach in a timely manner in accordance with Art. 33 GDPR. The company had also not complied with its documentation obligation under Art. 33 (5) GDPR.
Furthermore, the DPA found that the controller had failed to implement technical and organizational measures to ensure a level of security appropriate to the risk for the data subjects.