AER LINGUS REVEALED the email addresses of more than 100 people who applied for a communications job, potentially exposing their identities to other candidates through the blunder.
The IAG-owned airline apologised to the group four days after the job-hunters had their information shared in a 3 January group email.
In the correspondence, seen by Fora, Aer Lingus explained that candidates’ email addresses had been “inadvertently included” in a mass communication because their details were pasted in the ‘cc’ instead of the ‘bcc’ field.
More than 100 email addresses were shared in the original communication, which was sent after candidates completed an online test as part of their application for the communications specialist role.
“Aer Lingus would like to apologise to you for this mistake,” the airline told the affected jobseekers.
“Privacy is of the utmost importance to Aer Lingus and we are reviewing our processes to prevent this happening again.
“We are investigating how this occurred and will be taking actions to prevent any recurrence in the future which will include further training with relevant agents.”
Aer Lingus invited those who were affected to submit questions or comments directly to the company by emailing its data protection officer.
When contacted by Fora, a spokesman for the Data Protection Commission said the privacy watchdog had not been notified by Aer Lingus about the email blunder and it had not received any complaints from those affected by the incident.
Under EU-wide GDPR rules, which came into force last year, organisations must notify the commission of a personal data breach within 72 hours of becoming aware of it, unless the breach is “unlikely to result in a risk to the rights and freedoms of a natural person”.
The regulations state that people’s rights and freedoms may be at risk if personal data processing leads to “physical, material or non-material damage” such as identify theft or fraud, damage to the reputation, or the loss of confidentiality.
Organisations face hefty fines if they are found to have breached the data protection rules.
In a statement, an Aer Lingus spokeswoman said it had “taken steps to prevent a recurrence of such an incident” – although it did not believe the matter required reporting to the Data Protection Commission.
“(GDPR rules state) that data breaches are not reportable … in circumstances where the breach is unlikely to result in a risk to the rights and freedoms of natural persons,” she said.
“Accordingly, given the nature of this incident, Aer Lingus was not of the view this threshold had been reached.”
She added that Aer Lingus had not received complaints from any of the email’s recipients about the incident.