It appears that the other party as Data Controller and/or Data Processor has incorrectly Processed your Personal Data as a Data Subject in leaking it to other parties without a proper reason and is therefore in breach of the Data Protection Act 2018 of England & Wales (“DPA”) and the EU’s General Data Protection Regulation (“GDPR”).
The UK’s Data Protection Regulator is the Information Commissioner’s Office (“ICO”). Their website contains much useful guidance which is in plain English for a non-lawyer to understand: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/.
The other party as a Data Controller and/or a Data Processor must adhere to the Seven Key Principles of Data Protection Law:
1. Lawfulness, Fairness, and Transparency.
2. Purpose Limitation.
3. Data Minimisation.
5. Storage Limitation.
6. Integrity and Confidentiality (Security).
It appears that in leaking your Personal Data, the other party is in breach of the Principles of Lawfulness, Fairness, and Transparency, Data Minimisation, Accuracy, Storage Limitation and Accountability at the very least.
Furthermore, a Data Controller and Data Processor must only Process Personal Data if they have a Lawful Basis for so doing:
1. Consent: the Data Subject has given clear consent to process Personal Data for a Specific Purpose.
2. Contract: the Processing is necessary for a contract that the parties have entered into, or requested specific steps before entering into a contract.
3. Legal Obligation: the Processing is necessary to comply with the law (not including contractual obligations).
4. Vital Interests: the Processing is necessary to protect someone’s life.
5. Public Task: the Processing is necessary to perform a task in the public interest or for official functions, and the task or function has a clear basis in law.
6. Legitimate interests: the processing is necessary for the parties’ legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s Personal Data which overrides those legitimate interests.
It appears that the other party has Processed your Personal Data without any Lawful Basis.
As a Data Subject you have rights under the DPA and GDPR in respect of Data Breaches by a Data Controller/Processor:
1. Right to be Informed.
2. Right of Access.
3. Right to Rectification.
4. Right to Erasure.
5. Right to Restrict Processing.
6. Right to Data Portability.
7. Right to Object.
8. Rights in relation to Automated Decision Making and Profiling.
You must therefore assert your Rights of Access, Rectification, Restriction of Processing and to Object with the other party. I suggest that you send a formal written Request to the Data Controller/Data Processor asserting your rights as Data Subject that they correctly Process your Personal Data.
If you do not receive a satisfactory response from the other party after 28 days, I suggest that you report the other party to the ICO and they may investigate the matter and issue a written warning to the other party and threaten an investigation or a fine if they do not take action to minimise the Data Breach and damage.
There is useful guidance on Data Breaches on the ICO’s website: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/.