A personal data breach occurs when there’s a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data processed. If this happens, the organisation holding the personal data must notify the supervisory authority without undue delay. If the personal data breach is likely to result in a high risk to your rights and freedoms and the risk hasn’t been mitigated, then you, as an individual, must also be informed.
You booked your taxi via an online application. The taxi company has suffered a massive personal data breach and driver and user data has been stolen. It appears that no specific security measure was in place to protect the personal data. The company should have informed you about the breach. In this case, you can file a complaint against the taxi company before the national Data Protection Authority ('DPA').
- Articles 32, to 34 and Recitals (85) to (88) of the GDPR