1) Sending sensitive data to the wrong email recipient, such as when a Dutch municipality accidentally sent 530 people's personal data to the wrong address. 2) Including all email recipients in the CC field, making everyone's email address public, such as when a Dutch municipality sent an email to 123 recipients using CC instead of BCC. 3) Storing copies of people's ID documents on an unsecured publicly accessible server, allowing third parties access to 800 people's data.