Hello,

This is important, so please read carefully.

Yesterday you sent out a newsletter to $N ($N_spelled_out) people, including myself. There is nothing wrong with your newsletter per se, except one subtle but significant fact: all the recipients are addressed on the same to: line. Which means all of these people can now clearly see and identify all the other recipients. (The same would be true for cc: addresses, so if you wish to send newsletters this way, you need to use bcc: addressing. If you don’t understand the previous sentences, please ask your friendly local IT support for clarification.)

I wish to call your attention to the obvious privacy implications and that I have personally NEVER authorised $YOUR_COMPANY to disclose my personal data (and the implicit fact that I have done any business with you) to any third parties. I don’t expect the $N-1 other recipients of your email to have done so, either.

Just to be clear: this is a serious breach of prevailing personal data protection principles. In particular, a violation of the Personal Data Act (Personuppgiftslag, SFS 1998:204) of Sweden, which is based on common EU rules. I trust that you are aware that violation of this law, even if only due to gross negligence, may be subject to penalties.

This is a friendly warning. I am not seeking any compensation, based on my trust that you will immediately take the steps necessary to remedy this situation going forward. However, I do expect a reply to this mail which makes me confident that the issue has been understood by the humans in charge and receives proper attention.

Sincerely,
Tom Szilagyi