Got something to say or just want fewer pesky ads? Join us... 😊

[Misc] GDPR data retention



maffew

Well-known member
Dec 10, 2003
8,858
Worcester England
I know a couple of people on here did their GDPR roll outs for their work/websites not least [MENTION=6886]Bozza[/MENTION]

I have a reasonably understanding of data compliance and GDPR/DPA its always been associated with my line of work but want to put this out - your thoughts...

Upon trying to open an account, online, with a large multimedia company this week (purely to take advantage of an offer for new customers) I was very surprised when it told me that I already had an account. Enquiring how this could be, as I have been out the country since 2010, and I have a totally different phone number, email address, and physical address. They said they could verify the account was from 2006 and could I confirm my mothers maiden name and my address at this time. Well I said no, the postcode would be BN something but I have no idea on anymore than that. But firstly why have you still got my information from 12 years ago. And secondly why are you validating customers based on their name and DOB with 12 year old data. Its not exactly a proper unique identifier. Indeed I worked with a guy with the same first name, and exactly the same DOB (we were in fact born in the same hospital and lived a street apart, but I digress). Its not like it is the police, or NHS, or even a financial institution

I asked them to get a manager to email me, which they stated "a manager is not going to be emailing you back about this"

Well that got me annoyed. Mostly because I wanted to have a free offer. But actually that to me is to a totally unacceptable amount of time to hold someones data. Yes I know companys have to keep reasonable data for business purposes. Perhaps for validating car finance, or applying for a loan - even then I think 12 years is too much. Not withstanding the verification of who I am or was or might be is flawed

I might bring it to the ICO. To be honest I wouldnt even think that they could accurately exercise my right to be forgotten, as I wouldnt see how I could even validate that the DOB and Name of the account holder in a Brighton address 12 years ago was indeed me. (I am sure it was by the way, though I couldnt prove nor disprove it ). There is tons of legacy data around, I know, but to me this isnt acceptable. Nor is their response when I asked it to be escalated
Thoughts?
 
Last edited:

jasetheace

New member
Apr 13, 2011
712
Would probably come under "legitimate interests" under current regs. They should spell out the retention reasons in their privacy policy.
 

Westdene Seagull

aka Cap'n Carl Firecrotch
NSC Licker Extraordinaire
Oct 27, 2003
20,923
The arse end of Hangleton
Time for a Subject Access Request and once you have the information ask them to delete it.
 

maffew

Well-known member
Dec 10, 2003
8,858
Worcester England
Would probably come under "legitimate interests" under current regs. They should spell out the retention reasons in their privacy policy.

Yeah the legitimate interests nonsense to me is a wildcard they can play. Here they will say "well it is of legitimate interest" we identified you as an historic customer (probably) and therefore 12 years prevented duplicating your customer details. I though it was meant to be "reasonable" and "proportionate" though. Which to me is things like NHS/Dentist records, or the DNA database. Not a multimedia account loosely coupled with me.
 

maffew

Well-known member
Dec 10, 2003
8,858
Worcester England
Time for a Subject Access Request and once you have the information ask them to delete it.

Now I can do that (I think they can charge for it?). In this instance, if I am truly honest, its more of a matter of principal really now, and I am annoyed that they didnt see my concern as a valid reason to log it with their compliance people to contact me back
 


beorhthelm

A. Virgo, Football Genius
Jul 21, 2003
35,239
the old records allowed them to identify you as a returning customer and not a new one. sounds like argument for reasonable time to hold the data. the legislation is flexible with no length of time, it says data held needs to be for explicit purpose and limited to what is needed for the purpose. if you have a database called "historic customers" the length of time it can be retained is pretty much indefinite. agree this may be against expectation and the spirit of the GDPR but there you are.
 

Horses Arse

Well-known member
Jun 25, 2004
4,571
here and there
I know a couple of people on here did their GDPR roll outs for their work/websites not least [MENTION=6886]Bozza[/MENTION]

I have a reasonably understanding of data compliance and GDPR/DPA its always been associated with my line of work but want to put this out - your thoughts...

Upon trying to open an account, online, with a large multimedia company this week (purely to take advantage of an offer for new customers) I was very surprised when it told me that I already had an account. Enquiring how this could be, as I have been out the country since 2010, and I have a totally different phone number, email address, and physical address. They said they could verify the account was from 2006 and could I confirm my mothers maiden name and my address at this time. Well I said no, the postcode would be BN something but I have no idea on anymore than that. But firstly why have you still got my information from 12 years ago. And secondly why are you validating customers based on their name and DOB with 12 year old data. Its not exactly a proper unique identifier. Indeed I worked with a guy with the same first name, and exactly the same DOB (we were in fact born in the same hospital and lived a street apart, but I digress). Its not like it is the police, or NHS, or even a financial institution

I asked them to get a manager to email me, which they stated "a manager is not going to be emailing you back about this"

Well that got me annoyed. Mostly because I wanted to have a free offer. But actually that to me is to a totally unacceptable amount of time to hold someones data. Yes I know companys have to keep reasonable data for business purposes. Perhaps for validating car finance, or applying for a loan - even then I think 12 years is too much. Not withstanding the verification of who I am or was or might be is flawed

I might bring it to the ICO. To be honest I wouldnt even think that they could accurately exercise my right to be forgotten, as I wouldnt see how I could even validate that the DOB and Name of the account holder in a Brighton address 12 years ago was indeed me. (I am sure it was by the way, though I couldnt prove nor disprove it ). There is tons of legacy data around, I know, but to me this isnt acceptable. Nor is their response when I asked it to be escalated
Thoughts?

There's a fella called Tim something or other that is an expert on such things I believe. Hangs around Hove lawns mostly
 

maffew

Well-known member
Dec 10, 2003
8,858
Worcester England
the old records allowed them to identify you as a returning customer and not a new one. sounds like argument for reasonable time to hold the data. the legislation is flexible with no length of time, it says data held needs to be for explicit purpose and limited to what is needed for the purpose. if you have a database called "historic customers" the length of time it can be retained is pretty much indefinite. agree this may be against expectation and the spirit of the GDPR but there you are.

OK I get that. And clearly their data retention policy for historic customer has identified me a possible returning customer. But name and DOB as a primary key if you like? I would never get away with using those as an identifier with historic data (even with a mother maiden name appended to it), and I actually couldnt confirm the address I was living at, at that time. Nor would I expect to hold on to that kind of information for so long. I dont know what/if I intend to do anything because its not exactly for a mortgage or a crime I didnt commit. Just seems inappropriate
 


Joey Jo Jo Jr. Shabadoo

Waxing chumps like candles since ‘75
Oct 4, 2003
10,844
Now I can do that (I think they can charge for it?). In this instance, if I am truly honest, its more of a matter of principal really now, and I am annoyed that they didnt see my concern as a valid reason to log it with their compliance people to contact me back

Subject access requests are free in most cases now under GDPR and they’ve got to respond inside 30 days.

https://ico.org.uk/for-organisation...ation-gdpr/individual-rights/right-of-access/

As others have said they should have a privacy policy which outlines data retention. Where I work we’ve done a lot of work around GDPR and we’ve got to keep certain data for a number of years by law as we provide health care. This is all clearly outlined in our privacy policy.

I’d certainly do a subject access request and if they don’t respond in a timely manner report it to the ICO, you can also exercise your right to be forgotten by them.
 
Jul 7, 2003
8,542
OK I get that. And clearly their data retention policy for historic customer has identified me a possible returning customer. But name and DOB as a primary key if you like? I would never get away with using those as an identifier with historic data (even with a mother maiden name appended to it), and I actually couldnt confirm the address I was living at, at that time. Nor would I expect to hold on to that kind of information for so long. I dont know what/if I intend to do anything because its not exactly for a mortgage or a crime I didnt commit. Just seems inappropriate

As long as they are only using your data to identify you as a returning customer and it is detailed in their data privacy / use policies then they have done nothing wrong either under GDPR or the previous Data Protection rules. You will have agreed to the terms and conditions back in 2006 although probably like 99.9% of us on here would not have read them in details or considered how it might affect you 12 years later.
 


Acker79

Well-known member
NSC Licker Extraordinaire
Nov 15, 2008
31,744
Brighton
As long as they are only using your data to identify you as a returning customer and it is detailed in their data privacy / use policies then they have done nothing wrong either under GDPR or the previous Data Protection rules. You will have agreed to the terms and conditions back in 2006 although probably like 99.9% of us on here would not have read them in details or considered how it might affect you 12 years later.

But all those emails people received about updated terms and conditions in anticipation of GDPR, shouldn't there have been one of these from the company?
 
Jul 7, 2003
8,542
But all those emails people received about updated terms and conditions in anticipation of GDPR, shouldn't there have been one of these from the company?

Not necessarily. My understanding is that if the original conditions were clear and had not changed then there was no need to re-seek permission.

Also, we don't know if the OP was sent an email or if it would have been sent to an old email address.
 

timbha

Well-known member
Jul 5, 2003
9,807
Sussex
OP - did you wake up in a bad mood today? First thing on your mind was GDPR?
 


maffew

Well-known member
Dec 10, 2003
8,858
Worcester England
Not necessarily. My understanding is that if the original conditions were clear and had not changed then there was no need to re-seek permission.

Also, we don't know if the OP was sent an email or if it would have been sent to an old email address.

They could well have sent an email, probably to a work address back then which no longer exists anyway. I thought that the emails that were sent were as a new opt in anyway, and positive replies would be an opt in, and no reply/opt out would be do not contact. Thats a different story anyway, I tried to market myself to them not the other way round :)
 

Albion and Premier League latest from Sky Sports

Paying the bills

Latest Discussions

Paying the bills

Paying the bills

Paying the bills


Top
Link Here