BCC errors still cause a good deal of regulatory intervention. Dr W Kuan Hon has catalogued some below. This table supplements an article on the data protection risks of not using BCC available here.
Below, in reverse chronological order of decision publication date, are selected (non-exhaustive) examples, as at March 2026, of incidents where emails were sent using the TO/CC field when BCC should have been used. For most of them, enforcement action was taken. Outlook was mentioned as the email application in some, but most didn’t state what emailing tool/service was used.
Usually, remedial action was also ordered, but is not mentioned below. Some involved other GDPR infringements too, like lack of legal basis, data minimisation or transparency (not always flagged below). Many investigations were triggered by data subjects, who received the non-BCC emails, complaining to the regulator/supervisory authority about the disclosure of their email addresses to others. (Note: dates relate to the enforcement action, not the emailing incident, and some links are to non-English documents, where machine translation was used to review them).
February 2026, Austria
Event organiser: Confirmation that it infringed data protection rights (including legal basis and data minimisation) by marketing an upcoming event to numerous recipients using CC.
December 2025, Italy
Istituto Comprensivo di Roverbella: special category data (health): €1000 fine. School sent an email on vaccination requirements for students under 16, mistakenly leaving recipients’ email addresses visible instead of using BCC.
September 2025, Belgium
Y (unnamed): Prima facie decision warning Y that it must have sufficient measures for security and DPbDD, after it emailed a satisfaction survey to many individuals and companies using CC.
July 2025, Greece
Hestia Bookstore: €3k fine (press release) for integrity/confidentiality and security breaches, plus fines for other breaches including PDB non-notification. Publisher emailed ~55 recipients using TO, disclosing the complainant author’s email, name, publishing pseudonym and other personal data, and gender identity.
February 2025, Italy
Dr Fero: €10k fine. Political candidate emailed ~500 of his patients without using BCC.
January 2025, Romania
Vodafone Romania S.A: 74.526 lei (€15k) fine. Several security breaches, including not using BCC when informing some data subjects of account manager changes.
November 2024, Austria
XXXX (unnamed):special category data (political opinions). €28k fine on a political party, reduced from €50.7k by the Federal Administrative Court. For a political campaign, the party’s employee mistakenly sent two emails (attaching “open letters”) to an open email distribution list visible to all recipients, each containing ~400 email addresses in the TO field. At least 100 email addresses revealed full names, including both work and private email addresses of individuals. The addresses were obtained from public sources. The emails disclosed recipients’ names/email addresses, employer in some cases, and also political opinions: even if indirectly, by implying recipients shared the party’s political views (due to the emails’ content). The party notified the PDB.
May 2024, UK
Conservative Party: (New Statesman news) – special category data (political affiliation). The Party reported the PDB to the ICO, but no enforcement action was taken. (Based on New Statesman article) Email sent to 344 people using TO, asking recipients to complete their registration for the Conservative Party Conference 2024 (from which recipients might be able to infer other recipients’ political affiliation). No enforcement: “Breach recorded – regulatory action criteria not met”, “Informal action taken”, “Advice given”, according to the ICO’s Self-reported personal data breach cases Jul-Sept 2024 spreadsheet, row 527
May 2024, Italy
TO4 health authority: special category data (health) €8.4k fine. Email to 45 recipients on general treatment for multiple sclerosis, using CC through human error (despite instructions to staff to use BCC). The authority reported the PDB. The regulator reiterated that email addresses are considered personal data, even if they do not contain references to the data subject’s name and surname or any other information directly identifying the data subject.
April 2024, UK
Central YMCA: special category data (health) £7.5k fine, reduced from £300,000 (summary page) and reprimand (summary page); news release: Persistent sensitive information breaches failing people living with HIV. Seemingly this applied the ICO’s trial revised public sector enforcement policy to the third sector/charities too. There’s a 2024 ICO report on that trial, for anyone interested. Email with event invitation, sent via Outlook to people on an HIV support programme, CC’d 264 unique email addresses; it was delivered to 255. 166 people were identifiable or potentially identifiable (115 email addresses had clear names, 51 contained at least part of a name). It could be inferred they were likely to be living with HIV.
February 2024, UK
Ministry of Defence: (which implemented changes as a result) £350k fine (summary page) and on MoD (email but not TO/CC issue) spreadsheet breach if interested; ICO’s 31 Jul 25 guidance on removing hidden data & metadata before public disclosure of documents). Emails, related to the Afghan Relocations and Assistance Policy programme, were sent in 2021 and 2022 via Outlook using the CC field. 265 unique email addresses were disclosed, identifying hundreds of Afghans eligible for evacuation.
February 2024, Italy
Medtronic Italia: (provides medical device: a free web-based application for people with diabetes using compatible Medtronic medical devices, and their caregivers) – special category data (health) – €300,000 fine. The emails were to Italy-located users of its MiniMed Mobile app which connects – via Bluetooth – its insulin pump to the user’s smartphone; still health data, although some recipients were caregivers. Medtronic Diabetes emailed MiniMed Mobile app users about a server maintenance update and users’ need to re-login to certain software as a result. 11 email notifications were sent, using Outlook: 10 contained 490-495 email addresses, one 8 addresses. Against procedure, CC not BCC was used, exposing addresses to ~489-494 or 7 recipients respectively. ~5,001 email addresses of MiniMed Mobile app users worldwide were exposed, including 732 in Italy. Some email addresses contained first and last name so those individuals were identifiable.
January 2024, Catalonia, Spain
Eulen, Servicios Sociosanitarios, SA: €3000 fine. Emails about activities of a centre for disabled people, addressed to “family and guardians”, with names and some surnames, sent to ~50 email addresses without BCC.
2023, Romania
?name: RON 24.870,5 (€5.000) fine. Controller distributed information by email without BCC, resulting in disclosure of ~180 e-mail addresses.
August 2023, UK
Executive Office’s Interim Advocate’s Office (set up after the Historical Institutional Abuse (HIA) Inquiry): Reprimand (summary page). An e-newsletter was sent to 251 subscribers using the TO field. Although only email addresses were disclosed, it can be inferred that recipients were likely to be victims and survivors, as the newsletter content was tailored to survivors wishing to engage, or already engaging, with the HIA Inquiry compensation scheme.
July 2023, Malta
Educational institution: Ruled an infringement (integrity/confidentiality, security). A lecturer sent Microsoft Teams links and classwork to students’ personal email addresses using CC.
July 2023, UK
Patient & Client Council (PCC):special category data (medical / health). Reprimand (summary page): “This type of data breach is all too common but is easily avoidable. Organisations must take responsibility for training their staff properly and for putting appropriate systems and policies in place to avoid such incidents. “Even if the content of an email is not sensitive or confidential, identifying people who have received it could reveal sensitive or confidential information about them…”). Emailed, using CC, 15 members of a Gender Identity Liaison Panel it was establishing, comprising individuals from across Northern Ireland who had lived experience of gender dysphoria. 13 email addresses contained sufficient identifying information. Recipients could reasonably infer that the other recipients also had experience of gender dysphoria, given their inclusion in the email.
April 2023, Germany
8 U 94/22: A German court noted in the context of a wider decision (Google translation), “If the member sends an email to multiple members simultaneously, they are required to mask the email addresses (eg, by using the “bcc” function)…”.
March 2023, UK
NHS Highland: special category data (health) Reprimand (summary page, press release). Could have been fined £35,000 if not for the ICO’s new approach towards the public sector. Emailed 37 patients, without using BCC, to invite them to a meeting. Most email addresses included first name and surname or part of the name. Recall attempt was unsuccessful. With a reasonable degree of certainty, recipients would have been able to other recipients as being likely to be accessing HIV services. “Failure to use BCC correctly is consistently within the top 10 non-cyber breaches, with nearly a thousand reported since 2019.”
January 2023, Italy
Padua University Hospital: €5,000 fine: integrity/confidentiality, special category (although the hospital argued only 7 addresses were identifiable and 12 couldn’t be “immediately traced back” to account-holders). While seeking informed consent for clinical trial enrolment (Cardiac Surgery Unit), an email was accidentally sent to patients involved in the trial using CC, revealing email addresses of all patients awaiting heart transplants: 19 email addresses involved.
January 2023, Romania
Apă Canal Ilfov SA: RON 14,757.60 fine (€3,000). Emailed registered users using TO, revealing email addresses of a “significant number” of data subjects.
July 2022, Italy
Senseonics Inc: US company offering diabetes app – special category data (health)) €45,000 fine, there were also other infringements (summary) Sending, for an information campaign, emails using CC, disclosing email address and health data relating to ~2000 Italian diabetic patients.
June 2022, UK
Tavistock & Portman NHS Foundation Trust: £78,400 fine, reduced from £784,400 reduced for public sector and other circumstances (summary page). Used Outlook to send bulk emails to 1,781 email addresses using TO, inviting patients of the adult Gender Identity Clinic to participate in an art competition (two identical emails were sent, one to 912 recipients, the second to 869 recipients). It was clear from the content of the email that all recipients were patients of the clinic, and there was a risk further personal details could be found by researching the email addresses.
June 2022, Spain
D.C.C.C.: €3000 (Art.5(1)(f) breach) plus €2000 (Art.32 breach) fines. Marketing email sent to nearly 200 recipients without using BCC.
May 2022 (pre-GDPR incident, under Data Protection Act 2018), UK
Probation Board for Northern Ireland (PBNI): Reprimand. Calendar WebEx invites, containing WebEx joining instructions for online programmes, were sent as group calendar invites through Outlook to service users, with email addresses were visible to other recipients. These were sent on three separate occasions, relating to the Horizon programme (for service users convicted of sexual offences) and programmes for users convicted of domestic violence. 27 service users’ email addresses were revealed to other recipients. Most email addresses contained identifiable attributes, full name or part of name; and research email addresses may have allowed identification via links to social media sites or similar. A recipient could infer the other recipients had been convicted of domestic violence or sexual abuse.
April 2022, Italy
Società Ospedale San Raffaele srl: special category data (health), €70,000 fine (lack of legal basis). Hospital reported the PDB after emailing a newsletter to Neurology Unit patients using CC; 499 email addresses, 321 patient names, 46 family member/ caregiver names, 132 “not names”. Also emailed newsletter on new pavilion to Transplant and Metabolic-Bariatric Surgery Unit patients: 90 email addresses, of which 75 involved names of patients and/or family members/caregivers, 15 were argued to be “not directly identifiable”. But, “even if some of the email addresses lacked references to the data subjects’ first and last names or other directly identifying information, they constitute personal information, subject, like other information, to the application of the [GDPR]. Furthermore, it could be deduced from the context that the recipients were users of the Neurology Unit in one case and the Transplant and Metabolic-Bariatric Surgery Unit in the other, and therefore patients being at those Units, implies that the processing for which the data breach notifications were sent to the Italian Data Protection Authority [Garante] concerned health-related information, as it concerns information relating to healthcare services, which reveals health status… Therefore, the sending of communications via a single email to multiple recipients, whose addresses were entered in the copy (cc) field, effectively, without justification and in the absence of a legal basis, disclosed the health status of the other patients to the recipients of the communications.” Outlook was not mentioned specifically, but the supplier of the company’s emailing application was stated to be Microsoft; “discussions are underway with the supplier of the company mailing application (Microsoft) to evaluate the technical possibility of introducing forms of control/ management of mass communications”.
April 2022, Belgium
“Y”, a youth care organisation: In contrast, the Belgian regulator (APD/GBA) considered that, in the circumstances here, the email did not constitute a reportable PDB. Newsletter emailed to 16 recipients using CC. This was a data breach, strictly, but there were limited recipients (16) and personal data (email addresses; no personal data was in the email body itself), so the controller could have relied on the likelihood that the breach posed a low risk to individuals to justify that it was not a notifiable PDB.
March 2022, Belgium
A municipality: Another example where complaints were not upheld as emails were sent only to volunteers who had provided their email addresses, and BCC was used.
February 2022, Italy
Bank of Italy: Reprimand (legal basis, integrity/confidentiality). Email, using TO, to ~500 applicants about a pre-selection test for recruitment of legal experts. In numerous cases, email addresses contained personal data, clearly displaying first name and/or surname, or initials, abbreviations or acronyms that could identify them.
October 2021, UK
HIV Scotland: special category data (health), £10,000 fine (summary page, news release). Email on event agenda sent via Outlook using CC to 105 recipients, members of a HIV patient advocates network, with 65 email addresses identifying individuals by name. The email’s content combined with the identity of the sending organisation revealed information from which special category data could be reasonably inferred. Even if the email addresses/content were not special category data, there were clearly particular sensitivities the Trust should have considered.
Labour Relations Agency: “deals confidentially with sensitive labour disputes between employees and employers” (BBC news). No enforcement, according to row 957 of ICO’s Self-reported personal data breach cases Q3 2021/22 spreadsheet (pointed to in its response to a freedom of information request in 2023): Breach recorded – regulatory action criteria not met, Informal action taken, Advice given. Customer satisfaction survey invitation emailed, not using BCC, to 213 clients who had used its Early Conciliation programme.
September 2021, Spain
Sacramental Y Penitencial Cofradía De Nuestro Padre Jesús, Sacramentado Y María Santísima De La Piedad, Amparo De Los Leoneses: Reprimand. Emails sent to members of this organisation without BCC exposing name and surname of the complainant in emails.
September 2021, Greece
“B”: Reprimand issued (security breach). Press release emailed to many recipients using TO; many showing full names.
September 2021, Iceland
Directorate of Labour: No fine etc as corrective preventative action was since taken. Emailed 100 recipients using CC (human error) was security breach (although no PDB was reported).
February 2021, Malta
GRS Recruitment LTD: Corrective measures ordered. 2 emails sent using CC to 201 recipients on 11/02/2020, providing information about IT job vacancies.
January 2021, Belgium
School: Reprimand. A school emailed a newsletter to parents without using BCC (similarly with previous emails). This lacked a legal basis and breached GDPR requirements on purpose limitation and DPbDD.
X: An appeal court reversed the regulator’s €5k fine on a political candidate for sending emails using CC, for disproportionality and ignoring relevant factors.
January 2021, France
?name: Reprimand; was notifiable PDB, reminder on obligations. Email sent by controller’s service provider without BCC “using an IT tool” to customers (all people for a flight): 37 email addresses, some generic for legal entities.
December 2020, Spain
LOSADA ADVOCATS S.L. (law firm): €10,000 fine (integrity/confidentiality breach); reprimand for security breach. Email sent without BCC to “dozens” of recipients.
September 2020, Spain
Burgos City Council: Warning (integrity/confidentiality and purpose limitation breaches). Parties to a conciliation procedure were emailed, without BCC, disclosing one party’s email address and other personal data.
February 2020, Spain
Electric Renting Group, S.L.: €2500 fine (integrity/confidentiality etc). Promotional email without BCC sent to dozens of recipients.
VOX ESPAÑA political party: Reprimand only (although political opinions are special category data). Email sent to some party members without BCC.
July 2018 (pre-GDPR incident), UK
The Independent Inquiry into Child Sexual Abuse (IICSA): set up to investigate the extent to which institutions had failed to protect children from sexual abuse. £200,000 fine (summary page, news release). Email to 90 Inquiry participants telling them about a public hearing, sent using TO, identifying them as possible abuse victims. 52 email addresses contained full names or had a full name label attached.
Gloucestershire Police (Chief Constable of Gloucestershire Constabulary or GC) (BBC news), £80,000 fine (news release). Update on investigations of abuse regarding multiple victims sent in 2016, via Outlook using TO, to 56 recipients potentially including victims, witnesses, lawyers and journalists, exposing full names and e-mail addresses of all recipients (only 1 successful recall, once the Force identified the breach 2 days later). “At the time of the incident the ‘bcc’ field was not a function automatically selectable on GC’s Outlook format. A staff member therefore had to adjust their own settings to be able to use this function. The ‘bcc’ field was inadvertently not used on this occasion.”
May 2016 (pre-GDPR incident), UK
Chelsea & Westminster Hospital NHS Trust: £180,000 fine (summary page, news release). A sexual health clinic offering services to patients with HIV emailed a newsletter using TO to over 700 users of the service. 730 of the 781 email addresses contained people’s full name. There had been a similar error a few years ago, when a questionnaire was emailed to 17 patients on their HIV treatment using TO.
Dec 2015 (pre-GDPR incident), UK
Bloomsbury Patients Network: £250 fine “due to its status as an unincorporated association but because of the serious nature of the breach, most organisations would expect to receive a much larger fine (news release). Newsletter emailed to 200 patients using TO. 56 patients’ full or partial names were revealed. The incident was the second of this type at the Bloomsbury Patient Network in three months.
