GDPR and contact tracing
posted 3 years ago
Person A has a business relationship with Person B, comprising both keeping contact information and physical interactions. Person C contacts Person A and requests Person B to contact details without proving their identity. It appears to me that sharing such information would be a violation of Article 5(1)(f) the GDPR because Person A has not "ensured appropriate security of the personal data". Is this statement true?