Curious Infringement of GDPR

Curious Infringement of GDPR

To err is human. A member Sprint Education, a marketing company that, as its name suggests, operates in the field of education, could say a lot about it. In their service offer, they stated that they offered strategies that adhere to the GDPR regulations. However, they accidentally violated this regulation by sending bulk emails to people asking them to update their email preferences.

The expanded report states that Sprint was collecting information on people under the terms of the GDPR, invoking a legitimate interest.

Unwanted mail

One of the recipients received this spam, but it contained a URL to update preferences with a string of numbers. The recipient noticed this error and was able to access the personal data of the other recipients in the list by adjusting the digit.

This option is no longer available and if someone tries to do so, he or she will be redirected to the so-called opt-out page, where they can unsubscribe from spam.

Cause of the misconduct

The company seeks to present itself as an experienced expert who does not take the GDPR lightly. Guy Lewis, director of Sprint Education, confirmed that emails containing detailed data retention information would be sent before the processing of customer data. The preference center serves as a place where customers can adjust their preferences to GDPR.

The “click tracker” feature has been identified as the main flaw that a company employee made. Emailing stopped as soon as this error was detected. Unfortunately, as expected, unfortunate email was already sent to up to 250 customers.

Imposition of a fine

As a result, strangers were able to view other people's private information thanks to this transgression. That is an infringement of Regulation No. 32 GDPR. However, these were publicly available data, which is a mitigating circumstance for Sprint Education. Information on whether a regulatory authority will address this issue is not available yet.