The Dutch suicide prevention hotline 113 shared data from website visitors with third parties without consent, BNR reports based on research by ethical hacker Mick Beer of Hackedemia.nl. After being confronted with this research, Stichting 113 temporarily suspended all measurement and analysis tools on its website.

“If someone opens the 113 page, or clicks on the chat or call menu, that is sensitive information in itself,” Beer told the broadcaster. Until recently, 113 shared this data with third parties, including Google, even if visitors did not give consent via cookies.

The data included the user’s location, browser, device, the website the user had visited shortly before surfing to 113, and screen recordings of the 113 website visit. 113 also provided certain data to Microsoft, but this time only if the cookies had been accepted, Beer said.

“Anyone who surfed to the 113 website left a digital footprint behind,” the ethical hacker said. “Google and Microsoft can use this information to build general user profiles.”

Stichting 113 likely violated the General Data Protection Regulation (GDPR) by sharing this data. The GDPR states that extra care must be taken regarding the security of medical personal data, which includes contact with an anonymous suicide prevention hotline.

The suicide prevention foundation told BNR that it shared no substantive information from conversations or chats with help-seekers. “It concerns technical data regarding a website visit, so-called metadata,” a spokesperson told the broadcaster. “We realize that visitors must be able to trust that their privacy is protected and regret that concerns have arisen regarding this.”

Stichting 113 has temporarily disabled all measurement and analysis tools so that it no longer shares this data with third parties. “At this moment, we are investigating what happened, how this could have occurred, what the potential impact has been, and what our next steps are,” the spokespersons aid. They didn’t say whether the trackers would be turned on again.