Some folks may be vaguely interested in an ongoing project of mine, which is to use GDPR and other rights, to trace an apparent data leak that led to me getting a specific item of junk mail. I suspect this will end with a tick box on a form, that was ticked by (say) a hotelier on my behalf, saying "I consent to spam", but I want to get right to the bottom of it. I actually get very little junk mail or spam these days, and want to keep it that way.
So, a few weeks ago, I received a leaflet posted from company A, a huge UK company. It was addressed to me, in person, "Mr Muddle" which makes it personal data. If they'd addressed it to just the house, they'd have been OK. So I wrote to company A, asking where they got my data. They named Company B.
I wrote to company B, a well known International name, asking where they got my data, and who else they may have shared it with. They named nearly 40 other companies to whom they have already sold my data, and named their source... company C.
Company C looks rather scary. It is a name I have never heard of, appears to be a very small entity. On their website, they boast to have over 10 million email addresses available, among other data. Company C admits to holding various categories of personal data, from those 10 million email addresses, to phone numbers, postal addresses, and (yes really) web browsing behaviour - possibly just their own website, unclear at this stage.
I am awaiting a response from company C, to disclose what they know about me, by what authority, and who else they may have passed it to.
I'm reluctant to name companies A, B, C at this stage but will keep this thread updated if anybody shows any interest.