A recent story from Germany highlights the precautions companies must take when complying with data subject requests under the GDPR. When complying with a right of access, Amazon accidentally disclosed the personal data of another Amazon user. Although no enforcement action has been taken by a GDPR authority in this case (yet), Amazon have opened themselves up to the possibility of a civil legal claim.
An Amazon customer in Germany exercised his rights of access under the GDPR. Amazon agreed to send the customer all of the data they had collected about him. The files they sent over included all recordings made by the user’s Alexa smart device. The customer was surprised to find the Alexa recordings as he didn’t actually own an Alexa device. On investigation by a German media outlet, the files were discovered to be from an entirely different Amazon customer. The recordings contained information regarding the smart devices the other user had at home, Spotify and alarm commands that user had made, and various snippets of conversations which revealed, amongst other things, that the other customer had a spouse who also lived in the home.
Even when complying with data subject requests under the GDPR, companies must take precautions to ensure they are processing that data securely. Whilst Amazon may not suffer a fine, as the fault only affected one user in this instance, any further breaches may lead to stronger action from the relevant authorities.