"Please note that this email has been blind-copied to each of the people whose email addresses you revealed on behalf of XXXX.
Thank you for your email. A number of points arise from it.
You have revealed my email address to a large number of people whom I do not know, and to whom I would not want my personal data revealed. Even though this act was probably inadvertent, it is serious enough to warrant a report to the UK Information Commissioner’s Office (ICO), since it seriously affects my personal data protection rights and freedoms and those of a very large number of other people. You are required by the UK 2018 General Data Protection Regulation (GDPR), which came into effect on 25 May 2018, to make a report of your breach to the ICO. You should first of all contact your Data Controller, who will be aware of the procedure. I attach a copy of the form that the ICO has produced to enable you to do so. I shall also be making a brief report on this incident to the ICO.
I note that you indicate that you are maintaining a register of those who have requested the right of erasure and the actions you have taken. I would remind you that personal data is defined as data that can be used to identify an individual. From your description of what you are intending to put in your register, it would appear that enough information will be recorded to allow identification of people. This is a violation of the provision in the GDPR to allow the erasure of personal data. I will also be reporting this to the ICO.
I understand that the GDPR contains a provision similar to section 36 of the Data Protection Act 1998. This dis-applies the data protection provisions for individuals who are not members of an organisation holding the data. Effectively, this means that the people to whom you have revealed my personal data have no obligation to delete it. That is another reason why your data protection breach is more serious than you might think. Nevertheless, you ought to contact them (not revealing the email addresses again, of course) to request that they delete all the data they have received. I shall be doing so immediately after sending this email. I shall keep your email address because you chose to reveal it to me in your email, and because I may need to contact you again – see below.
Should any consequences arise from your breach, I shall be in touch again."