Is this a breach of GDPR by TOC?

rf_ioliver · 4 Mar 2019

WelshBluebird said:
Having been involved with a fair bit of GDPR work thanks to my job, I am pretty damn confident that passing the complaint to another ToC (if appropriate and correct) would be covered under legitimate interest. After all if it is your interest that the complaint gets to the right place!

My thinking too...I can't imagine any circumstance where the original ToC would need to "process" data further other than to keep a legitiimiate record of the complaint, which'll probably be reduced to just statistics at the end of the day.

Arguing passing data onwards to recitify a mistake, eg: forwarding post, is not covered by the GDPR as long as the orginal receiver doesn't use that data for other purposes, eg: marketing, advertising, profiling etc.

If the OP wants to make a SAR then they'll get back very little for this particular situation. What you'd really want to see is the procedure and policy for forwarding complaints to another ToC in case of mistakes as described here.

IMHO, no GDPR issues here

Ian

RailUK Forums

najaB · 4 Mar 2019

rf_ioliver said:
Arguing passing data onwards to recitify a mistake, eg: forwarding post, is not covered by the GDPR as long as the orginal receiver doesn't use that data for other purposes, eg: marketing, advertising, profiling etc.

I'm not sure that writing to Company A and receiving a reply from Company B passes the initial 'sniff test' where GDPR is concerned (except where it would be the same person replying for either company).

Bletchleyite · 4 Mar 2019

WelshBluebird said:
Having been involved with a fair bit of GDPR work thanks to my job, I am pretty damn confident that passing the complaint to another ToC (if appropriate and correct) would be covered under legitimate interest. After all if it is your interest that the complaint gets to the right place!

The primary issue was that it was not correct, as the complaint was against TOC A and they just hadn't read it properly.

I think it is pushing legitimate interest, to be honest. The passenger may for any reason of their choosing not want to contact TOC B (what that reason is does not matter). When submitting Delay Repay you agree to forwarding, but when submitting a generalised complaint that is not there.

Bletchleyite · 4 Mar 2019

najaB said:
I'm not sure that writing to Company A and receiving a reply from Company B passes the initial 'sniff test' where GDPR is concerned (except where it would be the same person replying for either company).

I totally agree, and I would be quite angry at such a forwarding in this context (where the complaint has been misread).

A simple e-mail or telephone call to confirm understanding and whether the passenger was happy for it to be passed on is absolutely the right way to deal with this issue, law or no. But I do genuinely believe it would be a breach as described.

gray1404 · 4 Mar 2019

This isn't a case of Toc A receiving a complaint actually about Toc B so passing it to them for reply.

Rather Toc A receives complaint about them. I make this clear and state I am already in contact with Toc B separately. Case worked at Toc A replies asking for more details and hints its none of their business. I reply answering question and, again, clearly stating why my complaint is with Toc A. I receive full reply in which they have totally misunderstood my complaint and say they've passed it to Toc B.

I reply Toc A restating clearly why my complaint is with them, that I'm already in contact with Toc B myself and they didn't need to forward anything nor did they have my permission. A Manager then replies just repeating what first person had said, that the complaint is not about them and it has been correctly passed to Toc B and he then gave me the details of the railway ombudsman.

Toc A should not, in this case, have passed details of my complaint to Toc B.

gray1404 · 4 Mar 2019

What would be the best way to word or compose an email to Toc A complaining about a breach in this case to their Data Protection Officer and what sort of outcome should I seek?

Could I also contact the Data Protection Officer at Toc B instructing them to delete the information Toc A has sent them without my consent?

Bletchleyite · 4 Mar 2019

gray1404 said:
This isn't a case of Toc A receiving a complaint actually about Toc B so passing it to them for reply.

Rather Toc A receives complaint about them. I make this clear and state I am already in contact with Toc B separately. Case worked at Toc A replies asking for more details and hints its none of their business. I reply answering question and, again, clearly stating why my complaint is with Toc A. I receive full reply in which they have totally misunderstood my complaint and say they've passed it to Toc B.

I reply Toc A restating clearly why my complaint is with them, that I'm already in contact with Toc B myself and they didn't need to forward anything nor did they have my permission. A Manager then replies just repeating what first person had said, that the complaint is not about them and it has been correctly passed to Toc B and he then gave me the details of the railway ombudsman.

Toc A should not, in this case, have passed details of my complaint to Toc B.

To me that is a very clear breach. You have clearly stated that you do not want your data transferred, and they have done it anyway. This clearly fails any possible legitimate interest test.

If they were of the view that the complaint was not validly against them, in this context the only correct action for them to take was to state that they rejected it and refer you to the Ombudsman, not to transfer the data.

nickswift99 · 4 Mar 2019

Bletchleyite said:
To me that is a very clear breach. You have clearly stated that you do not want your data transferred, and they have done it anyway. This clearly fails any possible legitimate interest test.

If they were of the view that the complaint was not validly against them, in this context the only correct action for them to take was to state that they rejected it and refer you to the Ombudsman, not to transfer the data.

Not the only course of action... They could have responded to the complaint explaining why they wished to transfer the data and asked for consent. The individual could then decide to give consent if they felt it appropriate.

I would suggest a formal complaint to the ICO. If you were so minded a Subject Access Request to both TOCs should yield evidence of any breach or provide further evidence of non-adherence to the Data Protection Act if the TOCs do not correctly respond to the requests.

Once you know what data TOC B has, you could attempt to exercise your right to be forgotten but this may not be possible as there are many exemptions. It may need a direction from the ICO to cause such data to be deleted if it can be determined it has not been lawfully collected.

island · 4 Mar 2019

najaB said:
Just to throw something out there, in many cases customer services functions are outsourced and it may be that TOC A and TOC B use the same provider. If that is the case I'm not sure that a breach has occurred since it's the same data controller.

najaB said:
Yes. I'm considering the situation where two TOCs outsource their customer service operations to the same supplier. Once lawfully transferred, the data becomes the responsibility of the data controller at the supplier. I'm less than convinced that (assuming that the CRM system is only accessible by the supplier) if Bob answers using one email address there's no breach, but if Bob answers using a different email address there is a breach.

This doesn’t make it not a breach. The outsource company is a data processor, not a data controller. It is possible for the data controller to change without the data themselves “moving” anywhere.

najaB · 4 Mar 2019

island said:
This doesn’t make it not a breach. The outsource company is a data processor, not a data controller.

They're actually both. From the perspective of Company A they are a processor, but the moment they accept the data transfer they become a data controller in their own right - hence why outsourcers need to comply with the GDPR obligations and can't just say "We're only a processor".

FGW_DID · 4 Mar 2019

If your complaint is purely about TOC A then why mention TOC B at all. You must have mentioned TOC B in your initial complaint, TOC A aren’t just going to pick a random TOC and send your details are they?

Have you actually thought that, despite your belief, after an investigation by TOC A, the complaint in question is actually about TOC B hence the referral.

najaB · 4 Mar 2019

FGW_DID said:
Have you actually thought that, despite your belief, after an investigation by TOC A, the complaint in question is actually about TOC B hence the referral.

Regardless of that, if I specifically tell Company A to not pass my details to Company B and despite that request they do then they have breached data protection law (assuming that A and B don't share a common data processor).

gray1404 · 4 Mar 2019

Do I need to have expressly said "do not transfer my details to TOC B" for them not to be allowed to do it? This is a case of, my telling them I am in contact with TOC B already but reconfirming to TOC A that my reason for contacting them is about them. Yet they have ignored this anyway and passed it to TOC B.

najaB · 4 Mar 2019

gray1404 said:
Do I need to have expressly said "do not transfer my details to TOC B" for them not to be allowed to do it?

It does strengthen the idea that passing the data was covered by "legitimate interest".

Bletchleyite · 4 Mar 2019

najaB said:
Regardless of that, if I specifically tell Company A to not pass my details to Company B and despite that request they do then they have breached data protection law (assuming that A and B don't share a common data processor).

Also worth noting that even if both TOCs were, say, FirstGroup TOCs, that would still apply because it's the legal entity that is the data controller, not the parent company. As another example Scout Groups are individual charities with their own data controllers so they can't pass stuff around Scouting more widely willy-nilly.

gray1404 · 4 Mar 2019

Complaint submitted to TOC A Data Protection Officer. Is t worth contacting the Data Protection Officer at TOC B at this point, explain that I believe the information has been disclosed to them incorrectly and ask for it to be deleted?

It will be interesting to see what their reply is. They may throw at me their complaint handling procedure which makes provisions for passing information on, argue it was legitimate interest or even say "you never said we couldn't pass it on. All you said was you'd contacted them yourself already." Watch this space.

Mathew S · 4 Mar 2019

WelshBluebird said:
Having been involved with a fair bit of GDPR work thanks to my job, I am pretty damn confident that passing the complaint to another ToC (if appropriate and correct) would be covered under legitimate interest. After all if it is your interest that the complaint gets to the right place!

It would.

Surreytraveller · 5 Mar 2019

I don't think anybody really understands GDPR. Its been made really complicated, and the whole thing is a mess

Bletchleyite · 5 Mar 2019

Surreytraveller said:
I don't think anybody really understands GDPR. Its been made really complicated, and the whole thing is a mess

TBH you could have got most of the desired effect by simply outright banning direct mass marketing. I'd have been quite happy if they did.

najaB · 5 Mar 2019

Surreytraveller said:
I don't think anybody really understands GDPR. Its been made really complicated, and the whole thing is a mess

It's actually not nearly as complicated as people have made it seem.

Bletchleyite said:
TBH you could have got most of the desired effect by simply outright banning direct mass marketing. I'd have been quite happy if they did.

Not really. Specifying and codifying the data subject rights was a big needed change.

_toommm_ · 5 Mar 2019

Theres also the issue of companies interpreting it in their own way - the Saturday job I used to have in Marks and Sparks would not take card payments over the phone due to the GDPR, but I know full well that they do inside John Lewis.

Of course this is a rather pragmatic example for this forum, but it shows how interpretive the law is, and even inside the same company, one manager will apply the law different to another, etc.

Mathew S · 5 Mar 2019

Surreytraveller said:
I don't think anybody really understands GDPR. Its been made really complicated, and the whole thing is a mess

It's not complicated at all, it's really simple. There's a list of legal bases on which you can process personal data. All you have to do is 1) make sure you stay within them, 2} document your data procedures and processes, and 3) give people access to, and the opportunity to correct/delete, their own data.
The whole consent thing is a massive red herring.

jumble · 5 Mar 2019

Surreytraveller said:
I don't think anybody really understands GDPR. Its been made really complicated, and the whole thing is a mess

It is and I suspect that the OP is not going to get much sense from anyone and will not get any useful outcome.
I also believe that it is naive to think the ICO is going to care much in these circumstances if the original TOC believed they were doing the right thing.
It will be interesting to see if I am right or wrong
Jumble

Bletchleyite · 5 Mar 2019

_toommm_ said:
Theres also the issue of companies interpreting it in their own way - the Saturday job I used to have in Marks and Sparks would not take card payments over the phone due to the GDPR, but I know full well that they do inside John Lewis.

Of course this is a rather pragmatic example for this forum, but it shows how interpretive the law is, and even inside the same company, one manager will apply the law different to another, etc.

It's used falsely as an excuse to shut down complaints in the same way "security reasons" is in airports.

Bletchleyite · 5 Mar 2019

Mathew S said:
The whole consent thing is a massive red herring.

It is and it isn't. Consent is an important legal basis, and is (in most contexts) the only one under which marketing can be conducted. It is however the weakest legal basis (because it can be withdrawn at will, and failure to give it cannot disadvantage the subject), and so if one of the others applies you should use it.

This doesn't however justify taking morally poor actions, GDPR or no, such as transferring data when explicitly instructed not to do so.

nickswift99 · 5 Mar 2019

jumble said:
It is and I suspect that the OP is not going to get much sense from anyone and will not get any useful outcome.
I also believe that it is naive to think the ICO is going to care much in these circumstances if the original TOC believed they were doing the right thing.
It will be interesting to see if I am right or wrong
Jumble

It depends how many complaints the ICO get about the TOC. Lots of complaints may indicate systemic problems that should be addressed and then the ICO would clearly be much more interested.

Bletchleyite · 5 Mar 2019

nickswift99 said:
It depends how many complaints the ICO get about the TOC. Lots of complaints may indicate systemic problems that should be addressed and then the ICO would clearly be much more interested.

FWIW the ICO's approach is more to help people comply when things are reported than to fine them, but if they are stubborn and will not change their approach then the fines are wheeled out.

island · 5 Mar 2019

_toommm_ said:
Theres also the issue of companies interpreting it in their own way - the Saturday job I used to have in Marks and Sparks would not take card payments over the phone due to the GDPR, but I know full well that they do inside John Lewis.

That is likely to be PCI-DSS rather than GDPR.

najaB · 5 Mar 2019

island said:
That is likely to be PCI-DSS rather than GDPR.

Indeed. The compliance requirements are strict enough that I can understand some companies just refusing to take payments over the phone.

35B · 5 Mar 2019

najaB said:
Yes. I'm considering the situation where two TOCs outsource their customer service operations to the same supplier. Once lawfully transferred, the data becomes the responsibility of the data controller at the supplier. I'm less than convinced that (assuming that the CRM system is only accessible by the supplier) if Bob answers using one email address there's no breach, but if Bob answers using a different email address there is a breach.

I work for an outsourcer, and we are not the Data Controller for the data we process on behalf of our clients but the Data Processor. The obligations differ.

Is this a breach of GDPR by TOC?

Member

RailUK Forums

Veteran Member

Veteran Member

Veteran Member

Established Member

Established Member

Veteran Member

Member

Veteran Member

Veteran Member

Established Member

Veteran Member

Established Member

Veteran Member

Veteran Member

Established Member

Established Member

On Moderation

Veteran Member

Veteran Member

Established Member

Established Member

Member

Veteran Member

Veteran Member

Member

Veteran Member

Veteran Member

Veteran Member

Established Member