Management: Add my email(personal) in the bcc of all the transactional mails (which includes forget password, email confirmation, payment, booking etc) we are sending in this project just to check the fucking cronjobs are working properly.

Eh. No!

@Voxera unfortunately they made me do it
But it's not in production yet so it's arguable but I still don't support that shit.

@chowdercake still, it screams of bad practice and I guess its just a matter of time before someone forgets to remove one such hack and sensitive data ends up in the wrong place.

And with the GDPR that can be very expensive and a nightmare to clean up.

@Voxera
My thoughts exactly!
I explained the same and played the gdpr card (since the app is Europe based).

Also suggested that we can log the response id we get after sending the email and check it with the smtp provider if the message is undelivered or something else.

Their response: Client is not that technical, he can't look into it (What they actually meant, we are not that technical and we don't want to deal with that shit cause we're retarded so just bcc our emails). And now, I think about it there was no client's email just these two people. Fuck.

I know someone will forget to remove that patch and they asked to use their personal emails (still don't know why).

At that point I was done with that shit (my another rant on email templates).

@chowdercake Using the personal email already is a huge issue (not only in regards to GDPR), even if there is no unauthorized access. Most likely the privacy policy doesn't include the email provider and I don't think sending it to that person (as a private entity, who has no reason at all to access this data privately) would be considered valid from a GDPR perspective in any case. Also keeping a copy of password reset mails and such is already a huge no-no.

Make sure to cover your ass with a paper trail and try to get out of there before the company burns down (deservedly).

@saucyatom
Of course.

I don't have any grudge against my company it's just the shitty management that can't hire people according to their needs or allocate resources as required.

@chowdercake Well if the management is that shitty and ignorant, the company is already doomed.

Informing the relevant authorities about the GDPR strike before all data inevitably gets leaked would be ethical (and more so to deny implementing it), but might lead to personal consequences: In the manager's view it'd be your fault for whistleblowing, even if they clearly wanted it to end that way.

A less risky (but still bold) strategy is to go forward and ask them if they want their business to still exist in five years, because if they do this there's a great chance it won't.