Stefano Gazzella:25 November 2025 10:28
Like it or not, sending an email to the wrong recipient constitutes a personal data breach under the GDPR. This obviously applies if the email contains personal data or if personal information can otherwise be inferred from the message. As with any data breach, assessments are necessary.
In any case, the event must be recorded and documented, even if notification to the supervisory authority is not mandatory and the breach has been deemed unlikely to pose a risk to the rights and freedoms of natural persons. This is both due to the express provision of Article 33, paragraph 5 of the GDPR, and because security management requires documenting even near misses , or unsuccessful events, to assess potential measures to prevent their recurrence.
Even sending a message to CC instead of BCC is a data breach.
When a communication is sent as a CC (carbon copy) rather than a BCC (blind carbon copy), the email addresses are revealed to all recipients. This obviously assumes the addresses were intended to remain hidden.
Therefore, unless only functional addresses are involved (such as privacy@, administration@, and so on), the data breach occurred because there was a loss of confidentiality of the email address, which is personal data since it concerns an identified or identifiable natural person.
Caution: the email address isn’t necessarily the only information exposed and worth considering when assessing risks. Even in the case of standardized communications, everything depends on the context and what else can be deduced. Let’s see how.
For example, if the subject line reads ” Reply to request for benefits/contribution ,” even if the text is something like ” We hereby inform you of the successful outcome of your request for a contribution pursuant to Law No…. ” (or even consider the possibility of denial, because, after all, being negative in life inspires the best black metal songs), then depending on the law invoked, it will be possible to determine what type of benefit was requested. If it is related to a health condition, this is quite significant and impactful information. In terms of privacy, this certainly means a risk that is not unlikely and likely significant for the data subject, and therefore requires notification to the supervisory authority and communication to the affected data subjects.
Another example. In the case of a marketing communication, displaying all the participants’ addresses may trigger a notification obligation depending on the number of recipients, but also on the possibility of obtaining further deductible information (e.g., if it’s a discount reserved for BDSM club members, or for those who have expressed an interest in learning more about certain philosophical topics). In short, the risk must be assessed concretely.
Of course, the recipients of the miscommunication must also be taken into account, whether they are more or less well-known and trustworthy individuals.
Assess the recipient’s trustworthiness.
The recipient’s reliability matters, whether it’s an internal or external entity. This was confirmed, for example, by provision no. 117 of February 27, 2025, of the Italian Data Protection Authority , which recognized the validity of the defense’s arguments by invoking the relevant EDPB guidelines 9/2022, according to which:
Whether or not the data controller is aware that personal data is in the hands of individuals whose intentions are unknown or potentially harmful can impact the level of potential risk. Consider a confidentiality breach where personal data is disclosed to a third party as defined in Article 4(10) or to other recipients by mistake. Such a situation may arise, for example, if personal data is accidentally sent to the wrong department of an organization or to a frequently used supplier. The data controller may ask the recipient to securely return or destroy the data received. In both cases, given that the data controller has an ongoing relationship with these entities and may be aware of their procedures, history, and other relevant details, the recipient may be considered “trustworthy.” In other words, the data controller may assume that the recipient enjoys a certain level of trust and can reasonably expect that they will not read or access the data sent by mistake and will comply with instructions to return it. Even if the data were accessed, the data controller may still trust that the recipient will not take further action regarding the data and will promptly return the data to the controller and cooperate in ensuring its recovery. In such cases, this aspect can be taken into account in the data controller’s risk assessment following the breach; the reliability of the recipient may mitigate the severity of the consequences of the breach, although this does not mean that a breach has not occurred.
Therefore, if the communication was mistakenly addressed to reliable parties, whether internal or external, this means that the data breach has occurred and must be recorded, but there is no obligation to notify the supervisory authority or communicate it to authorized parties.
But here too, a concrete assessment must be carried out.
And don’t look for or even create easy excuses.
Stefano Gazzella
Privacy Officer and Data Protection Officer, serves as Of Counsel for Area Legale. Specializes in personal data protection and, in managing information security within organizations, pays particular attention to issues related to social engineering.
Head of the scientific committee of Assoinfluencer, coordinates research, publication, and outreach activities.
As a freelance journalist, writes about topics related to fourth-generation rights, new technologies, and information security.