That will depend very much on the contract - for example, I used to work for an outsourcer as well, for some clients we owned the database, for others we used a client provided database. In the former case we were very much the data controller, for others we were just a processor.
-
Our booking engine at tickets.railforums.co.uk (powered by TrainSplit) helps support the running of the forum with every ticket purchase! Find out more and ask any questions/give us feedback in this thread!
Is this a breach of GDPR by TOC?
- Thread starter gray1404
- Start date
- Status
Sponsor Post - registered members do not see these adverts; click here to register, or click here to log in
R
RailUK Forums
Surreytraveller
On Moderation
- Joined
- 21 Oct 2009
- Messages
- 2,810
The law changed last May. If you are processing data for a data controller you are a processor, not a controller if you are doing what they are contracting you to do
I'm familiar with the changes to the legislation - I was GDPR training lead for a 500+ employee company.
And you are correct that the contracting company's data controller retains overall responsibility when a third-party is providing a service, but that third party also has data controller obligations while the data is under their control (the clue is in the name).
If a breach occurs due to negligence on the part of the third party, they will be on the hook for any fine as long as the contracting party can show that they did due diligence (e.g. got a GDPR compliance statement from the third-party).
Relatively recently Northern removed the functionality to issue a weekly without accessing GoldSTAR from STAR. This means they now have to be issued through GoldSTAR and thus name and address details entered into the database. I thought it may be to do with their experience with the enhanced compensation scheme at first but more likely I guess maybe its the introduction of smartcards that has prompted it. Whether the company are justified in doing so is another matter.
Fawkes Cat
Established Member
- Joined
- 8 May 2017
- Messages
- 3,015
It would seem that the OP has complaints against two TOCs, arising from the same incident [EDIT 8/3/19: That's not actually the case - per the OP's post #68 below, there were two separate issues. So my argument here doesn't follow through.]. If I've got that right, then presumably the OP wants one or both of two things
- for the TOCs to learn their lessons and not repeat the problem;
- for the OP to receive some sort of recompense for the difficulty that they should not have faced.
It seems to me that to meet these aims, each TOC needs to be in possession of as full a picture of what happened as possible. So leaving GDPR out of it for the moment, and also leaving out that TOC A have (in the OP's view) wrongly identified the complaint as being one for TOC B, it is actually in the OP's interest for TOC A to forward information to TOC B.
Let's pause there for a moment, and put ourselves in the shoes of the TOC A complaint handler. Have they acted maliciously in passing information to TOC B? I don't think so. While they have shown a lamentable ignorance of GDPR, and may have misunderstood which TOC the complaint is about, they have tried to help the OP by passing useful information on to the organisation who (in the TOC A complaint handler's opinion) are best placed to help the OP. They have tried to do something nice. And that being the case, it seems a little ungrateful of the OP to now complain about the handling of their complaint.
But we can't leave GDPR out of it - it is part of the law that we live under. And the OP is firm in their belief that TOC A need to deal with their complaint. So the question is how raising a GDPR complaint helps to resolve the initial complaints against TOCs A and B.
I don't see that it does. If the OP's aim is preventing repetition or getting recompense, then they will want both TOCs to have as full a picture as possible - the OP has an interest in information being shared around (which in passing, I don't think is a legitimate interest as a ground for data processing - for legitimate interest to allow data processing, it's the data controller's legitimate interest which is relevant, not the data subject's interest). So it's hard to see that there is any benefit to the OP in drawing GDPR to the TOCs' attention. That must mean that the OP has another motivation. And it may be down to lack of imagination, or a particularly cynical worldview on my part, but the only other motives which leap to my mind are that
- the OP wants to make things difficult for the TOCs, or
- the OP wants to be recompensed to the full by each of the TOCs involved, rather than overall receiving recompense commensurate with the problems faced.
The first of these is an abuse of process: GDPR is there to allow individuals protection of their data, not to let them harass corporations. The second seems like an attempt to enrich the OP beyond recompense, and that, once again, is not what the process is for.
I hope that I just have a particularly jaundiced view of the world today, and look forward to being corrected on the assumptions that I 've made about the OP's motives. But I struggle to see what practical benefit there will be from the OP exercising their GDPR rights.
- for the TOCs to learn their lessons and not repeat the problem;
- for the OP to receive some sort of recompense for the difficulty that they should not have faced.
It seems to me that to meet these aims, each TOC needs to be in possession of as full a picture of what happened as possible. So leaving GDPR out of it for the moment, and also leaving out that TOC A have (in the OP's view) wrongly identified the complaint as being one for TOC B, it is actually in the OP's interest for TOC A to forward information to TOC B.
Let's pause there for a moment, and put ourselves in the shoes of the TOC A complaint handler. Have they acted maliciously in passing information to TOC B? I don't think so. While they have shown a lamentable ignorance of GDPR, and may have misunderstood which TOC the complaint is about, they have tried to help the OP by passing useful information on to the organisation who (in the TOC A complaint handler's opinion) are best placed to help the OP. They have tried to do something nice. And that being the case, it seems a little ungrateful of the OP to now complain about the handling of their complaint.
But we can't leave GDPR out of it - it is part of the law that we live under. And the OP is firm in their belief that TOC A need to deal with their complaint. So the question is how raising a GDPR complaint helps to resolve the initial complaints against TOCs A and B.
I don't see that it does. If the OP's aim is preventing repetition or getting recompense, then they will want both TOCs to have as full a picture as possible - the OP has an interest in information being shared around (which in passing, I don't think is a legitimate interest as a ground for data processing - for legitimate interest to allow data processing, it's the data controller's legitimate interest which is relevant, not the data subject's interest). So it's hard to see that there is any benefit to the OP in drawing GDPR to the TOCs' attention. That must mean that the OP has another motivation. And it may be down to lack of imagination, or a particularly cynical worldview on my part, but the only other motives which leap to my mind are that
- the OP wants to make things difficult for the TOCs, or
- the OP wants to be recompensed to the full by each of the TOCs involved, rather than overall receiving recompense commensurate with the problems faced.
The first of these is an abuse of process: GDPR is there to allow individuals protection of their data, not to let them harass corporations. The second seems like an attempt to enrich the OP beyond recompense, and that, once again, is not what the process is for.
I hope that I just have a particularly jaundiced view of the world today, and look forward to being corrected on the assumptions that I 've made about the OP's motives. But I struggle to see what practical benefit there will be from the OP exercising their GDPR rights.
Last edited:
I follow your argument, but as I read it issue is that TOC A has done the wrong thing for the right reason. While in this case there's (probably) no harm done, the fact that they have (arguably) breached GDPR is a problem in itself. So it's worth at least making them aware of the potential breach.
I too get the impression that there are less than honest intentions here. That aside, I do wonder if this may be a case where you can get TOC A and TOC B both being the same TOC.
If I was at Bromley South and was waiting a Thameslink service and there were issues then I could justifiably bring a complaint against both Thameslink and Southeastern. From an outside perspective you could consider the TOCs to be distinct and unique. However, they are pretty much the same TOC. Less of a connection than Southern/Thameslink/Great Northern but still there is a link. Especially when they have shared resources.
I have had quotes from an insurance company and discovered purely by chance that AXA and Swiftcover are the same company and the operator literally thought she was pulling my details from one company but when I queried it, she flipped to the other company. :/ In the end she pulled my no claims details from the system because she was able to access the information.
Could it be a case where the parent company of the TOCs are the same or split by 'brand' Clearly my data was shared between tow different companies (at least from my perspective)
I have also been wondering if there was any actual sharing of 'data' For example; if there was a complaint about a connection or a delay of some sorts that affected both TOCs and that TOC A felt that it wasn't something within their control but felt TOC B could act and that they passed a 'complaint' about the issue to TOC B and left out any personal details. ie. "We have had a complaint about X and feel that this is more appropriate to your TOC and could you please look into it"
I am not privy to the intricacies of GDPR. I have brought one GDPR complaint against an institution but it was a very clear breach. Other than what their response was I get the impression that zilch was done and my complaint effectively fell on deaf ears. Even communicating directly with the ICO it quickly became clear that our data can still be shared.
If I was at Bromley South and was waiting a Thameslink service and there were issues then I could justifiably bring a complaint against both Thameslink and Southeastern. From an outside perspective you could consider the TOCs to be distinct and unique. However, they are pretty much the same TOC. Less of a connection than Southern/Thameslink/Great Northern but still there is a link. Especially when they have shared resources.
I have had quotes from an insurance company and discovered purely by chance that AXA and Swiftcover are the same company and the operator literally thought she was pulling my details from one company but when I queried it, she flipped to the other company. :/ In the end she pulled my no claims details from the system because she was able to access the information.
Could it be a case where the parent company of the TOCs are the same or split by 'brand' Clearly my data was shared between tow different companies (at least from my perspective)
I have also been wondering if there was any actual sharing of 'data' For example; if there was a complaint about a connection or a delay of some sorts that affected both TOCs and that TOC A felt that it wasn't something within their control but felt TOC B could act and that they passed a 'complaint' about the issue to TOC B and left out any personal details. ie. "We have had a complaint about X and feel that this is more appropriate to your TOC and could you please look into it"
I am not privy to the intricacies of GDPR. I have brought one GDPR complaint against an institution but it was a very clear breach. Other than what their response was I get the impression that zilch was done and my complaint effectively fell on deaf ears. Even communicating directly with the ICO it quickly became clear that our data can still be shared.
gray1404
Established Member
There are no dishonest intentions here. Both the TOCs are totally different and owned by different holding companies. There is also no delay issue here as I have already said.
My complaint to TOC A was about issues relating to the purchase of the ticket. TOC They have looked at this, totally ignored the fact about the issue with ticket purchase, and said that it is about TOC B as "you travelled on a train operated by TOC B and your correspondence is not about a journey operated by TOC A."
Meanwhile I had contacted TOC B myself regarding problems on board relating to on board conditions. So it really doesn't require TOC A to be sending anything over to them.
This whole issue would not have happened if, from the outset TOC A, accepted that the problem relating to the ticket purchase lied with them.
My complaint to TOC A was about issues relating to the purchase of the ticket. TOC They have looked at this, totally ignored the fact about the issue with ticket purchase, and said that it is about TOC B as "you travelled on a train operated by TOC B and your correspondence is not about a journey operated by TOC A."
Meanwhile I had contacted TOC B myself regarding problems on board relating to on board conditions. So it really doesn't require TOC A to be sending anything over to them.
This whole issue would not have happened if, from the outset TOC A, accepted that the problem relating to the ticket purchase lied with them.
Fawkes Cat
Established Member
- Joined
- 8 May 2017
- Messages
- 3,015
Two different issues. I had misunderstood this. So I am sorry for the conclusions I drew based on that misunderstanding.
gray1404
Established Member
Thanks for your advise guys. I have not been able to take the required next steps in light of this.
(MODS: I'm happy for thread to be locked now if you wish.)
(MODS: I'm happy for thread to be locked now if you wish.)
- Status