Surreytraveller
On Moderation
- Joined
- 21 Oct 2009
- Messages
- 2,810
They didn't need to ask, but the fact they did, under GDPR, means the OP can retrospectively withdraw that consent
-
Our booking engine at tickets.railforums.co.uk (powered by TrainSplit) helps support the running of the forum with every ticket purchase! Find out more and ask any questions/give us feedback in this thread!
Penalty Charge retrospectively by GWR based on Trainline history for the past 5 years
- Thread starter marcali
- Start date
- Status
Sponsor Post - registered members do not see these adverts; click here to register, or click here to log in
R
RailUK Forums
AlterEgo
Veteran Member
You can’t give or withdraw consent to your data being stored or processed for the purposes of investigating crimes you are alleged to have committed.
Surreytraveller
On Moderation
- Joined
- 21 Oct 2009
- Messages
- 2,810
Exactly. So the fact they asked for consent means that data they gave at the point of questioning cannot be used for that purpose.
AlterEgo
Veteran Member
As @Haywain has pointed out they did not need to ask for it. They are entitled to it anyway.
It’s like a police officer stopping you in the street under reasonable suspicion and asking if they can search you. “Ok Mr Smith I’m going to search you now to see if you’re carrying a weapon, is that ok?”
They’ve got that right anyway, even if you refuse.
It's possible that - quite understandably, given the stress of the situation - the OP misunderstood what the member of staff was saying and that they were in fact simply complying with the obligation to inform them of the fact that they'd be processing their data under the GDPR.
Surreytraveller
On Moderation
- Joined
- 21 Oct 2009
- Messages
- 2,810
I get that. But the fact is they did ask for it. Therefore they waived their right to just do it. Under GDPR that means that consent can be retrospectively withdrawn. Obviously consent to be searched by the police doesn't come under GDPR, so that is different.
AlterEgo
Veteran Member
No, they haven’t waived any such right. Where in the GDPR regulations is that stated?
I'm which case they simply change the basis under which they're processing the data in question from consent to legitimate interest and continue processing it anyway.
Consent isn't a gotcha in terms of GDPR. Simply the easiest basis by which to show you had permission to process personal data. There are other basis which can be used instead, they just require more legwork to demonstrate compliance with data protection law.
Tetchytyke
Veteran Member
I remain sceptical of the TOCs’ reliance on the “investigating crime” exemption. Alleging someone has committed a criminal offence does not give one carte blanche to do whatever you want with someone else’s data. You have to have a legal basis for processing that data, and the police have been given that legal basis elsewhere in the Data Protection Act. Despite their attempts to claim otherwise, the TOCs do not have those powers.
I remain firm in my believe that the TOCs and Trainline should not be doing what they are doing, but also that the UK Information Commissioner is about as much use as a chocolate teapot. As I said in the other thread, who’s going to stop them?
Based on my second point, going too far down the GDPR rabbit hole is unlikely to be productive for the OP.
My advice is the same as with all the other fishing trips: say nothing and ask them for evidence of everything they suggest, starting by asking about the ludicrous figure they’ve just plucked out of thin air. They’re making ridiculous threats to try and scare you, remember that.
I would, however, pay the fare+admin fee as they have the OP bang to rights on that one.
- Status