The answer to your question is No. Unless you can expand on the sensitive information question?

Yes. If they sent them personal and sensitive information about you.

Were they ever linked to the debt such as guarantor on a loan or anything? - does seem odd for sure.

As for GDPR, carelessness with Personal Data usually does breach data protection regs somewhere. Whether you'd get anywhere with it is another matter as it would have to be pretty serious/widespread for the ICO to do anything. My usual advice is find out who the registered data controller is for the company concerned and complain to them in the first instance. You can look that person up here https://ico.org.uk/ESDWebPages/Search

I've done this numerous times and you'd be surprised how effective it is at getting to the bottom of things like this.

Hi All,

Thanks for the replies.

Here's a little more info. I'm not sure how far personal or sensitive data is evaluated nowadays but on the email contained my Reference Number for the recovery agent, my full name and debt information.

I called them and have it recorded and I stated where did you get that email address. They looked and they didn't know.

The debt was on a credit card and there was no direct link. However I believe there is an indirect link as we both have/had credit cards from the same Bank and lived at the same address.

Should I send the data controller letter to both the recovery agent and the original creditor?

GDPR recognises special categories of data that need to be handled with particular care, but it doesn't actually include finance/debt info. The list is here:

https://ico.org.uk/for-organisations...ory-data/#scd1

So this is just an incorrect disclosure of your Personal Data which has (perhaps?) caused you embarrassment with your parents due to the nature of it. If your objective is just to get a proper/thorough investigation into how it happened, assurances they have got to the root cause of it and made changes to systems or procedures to stop it happening again, and a profuse apology, that's a reasonable expectation.

Sounds like it's just a system or human error. Bit of a mix-up between records or something.

I would send to the creditor as they were the ones who originally collected your data, and are the Data Controller + it sounds like the error is more likely to be theirs. i.e. if the debt company was responsible for the mix up, how would they have your parents data in the first place as they have no lawful basis to be holding it (unless of course, your parents were in debt too). The debt company is usually a Data Processor under contract to the creditor - so you'd still kick the same butt even if you thought the debt company was responsible for the bad data, and (in this case) were the ones who actually disclosed it.

Most emails contain a disclaimer to cover such an eventuality?

True. You can issue warnings that if they are not the intended recipient, they should delete it and notify, but lets be honest, it's just a hope and pray strategy for carelessness that has already occurred and proper control lost.

It does contain a disclaimer.

I'll just enquire to figure out how it happened because what's to stop them next time emailing another random person who isn't related with even more personal information. As long as there's accountability and an explanation as to how it happened I'll settle for an apology. If it goes deeper and trying to bait a family member into paying then I'll take it further but to prove that will be virtually impossible.