Is this a breach of GDPR by TOC?

[gray1404]

I know there has been a long standing history of TOC customer relations passing a complaint to another TOC if it doesn't relate to them. However in light of the GDPR do they now need the customers permission to do this?

I have had a reply from a complaint with a TOC. They have misunderstood my complaint and passed it onto another TOC. I made it clear why my complaint was with them but they have failed to understand that. I also did not give them permission to pass my complaint and details onto anyone else. Have they done anything wrong here in light of the GDPR (which I assume would override any internal railway industry policy)?

 

[_toommm_]

If I remember correctly, you agree for the details to be passed to another TOC in the event that you send the claim in to the wrong company. Whether that's a breach of the GDPR, I doubt personally, as it's in the T&Cs of the delay repay form.

 

[Starmill]

you agree for the details to be passed to another TOC in the event that you send the claim in to the wrong company

Where have you heard this before? Where might it be found?

in the T&Cs of the delay repay form.

What are these? Where might I find them? And why might they apply to the OP's complaint, which I doubt could have been submitted using a delay repay form?

 

[Bertie the bus]

If I remember correctly, you agree for the details to be passed to another TOC in the event that you send the claim in to the wrong company. Whether that's a breach of the GDPR, I doubt personally, as it's in the T&Cs of the delay repay form.

I doubt that would stand up in court - if the only way to receive compensation you are contractually entitled to is to waive certain rights under law. Company Ts&Cs don’t take precedence over the law.

 

[gray1404]

Was a complaint sent by email, not a delay repay claim.

 

[island]

A common misconception is that a person's consent is required to process their data. It is not.

More at https://www.railforums.co.uk/threads/gdpr-data-protection-and-misconceptions-thereon.176084/

 

[gray1404]

Processing data and disclosing it to a third party, a long with details of the complaint and my contact details, are two different things.

 

[island]

Processing data as defined in the GDPR includes disclosing/transferring it, and still does not require consent. It is permissible if it's in the legitimate interests of the data controller, and it is easily a legitimate interest of the data controller to transmit a complaint to the company which can properly deal with it.

 

[87 027]

That's right, consent is only one of several bases of processing. My own organisation's GDPR-updated privacy policy sets out all the bases on which we process personal information. Only one of them (signing up for our newsletter) is consent based. The rest are statutory or public interest and we explicitly state that there will be circumstances where this trumps your rights of objection.

 

[gray1404]

I've just had a look at the link you gave and the 6 legitimate reasons you posted in a list. I do feel very annoyed that TOC A has passed my details to TOC B. I made it clear in my complaint to TOC A that I had already been in contact with TOC B separately. I therefore feel that they didn't, under these circumstances, have any need to pass such details on. I shall be complaining to their Data Protection Officer.

 

[island]

As is your right.

 

[Bayum]

I've understood GDPR data breaches as those breaches that allow others to build a profile of you, INCLUDING 'sensitive' data.

 

[Bletchleyite]

If I remember correctly, you agree for the details to be passed to another TOC in the event that you send the claim in to the wrong company. Whether that's a breach of the GDPR, I doubt personally, as it's in the T&Cs of the delay repay form.

This would be true of Delay Repay but not a complaint sent directly, where I would agree this would be a breach. If you stated you had a complaint with TOC A, I don't think involving TOC B without asking you would fit "legitimate interest" because you felt your complaint was with TOC A and they don't have a basis to determine that they thought it was with TOC B without discussing that first.

 

[_toommm_]

This would be true of Delay Repay but not a complaint sent directly, where I would agree this would be a breach.

My mistake - didn't read the post properly!

 

[js1000]

TOCs seem to be really slack when dealing with GDPR. I had to give my name and address to when buying a Northern weekly season ticket recently without any consent form, T&Cs etc which seems like a slippery slope to me to have no legal agreement in writing. As the saying goes: If it isn't in writing it doesn't exist.

 

[Bletchleyite]

TOCs seem to be really slack when dealing with GDPR. I had to give my name and address to when buying a Northern weekly season ticket recently without any consent form, T&Cs etc which seems like a slippery slope to me to have no legal agreement in writing. As the saying goes: If it isn't in writing it doesn't exist.

I'm not quite sure why you were asked for that for a weekly, for which no reissue rights apply. To me that's unnecessary collection which is itself a breach; no data should be collected that is not necessary and where each element of data collected does not have a specific, known purpose at the time of collection. (Not "might be necessary"[1], but IS necessary). I don't recall being asked for details for issue of a weekly photocard; those were collected the first time I then used that card to purchase a monthly.

For a monthly, it would not come under consent but under legitimate interest - it is required to manage your season ticket account e.g. in relation to the provision of refunds in the event of loss/theft, and that account management is in the interest of the TOC and the passenger, so passes the "legitimate interest test" (an informal risk/benefit analysis type thing that determines if "legitimate interest" can be used as a basis).

If it was for advertising purposes that would need consent, which I personally never give as a matter of policy. Indeed, GDPR was in many ways intended as a means of reining in e-mail and telephone "spam" - there are very few elements of it, other than in terms of it being more formal in application, that weren't already the law in DPA1998, it's just that people were ignoring them, and all the publicity surrounding GDPR means they now can't get away with that any more, to which I say "good".

[1] Other than things like collecting medical details of young people on a Scout camp in case of going to hospital with an injury or illness. This would be seen as "is necessary" because it may not be possible to collect them at the point of needing them without a risk to life.

 

[najaB]

If you stated you had a complaint with TOC A, I don't think involving TOC B without asking you would fit "legitimate interest" because you felt your complaint was with TOC A and they don't have a basis to determine that they thought it was with TOC B without discussing that first.

Just to throw something out there, in many cases customer services functions are outsourced and it may be that TOC A and TOC B use the same provider. If that is the case I'm not sure that a breach has occurred since it's the same data controller.

 

[ForTheLoveOf]

Just to throw something out there, in many cases customer services functions are outsourced and it may be that TOC A and TOC B use the same provider. If that is the case I'm not sure that a breach has occurred since it's the same data controller.

The data controller would always be the individual TOC. Unless the two TOCs are actually just different brands of the same company (e.g. Gatwick Express and Southern), that would mean a transfer of data from one controller to another.

 

[Sebastian O]

What a pointless thread - OP, why not just reply to them saying it was a mistake?

 

[najaB]

The data controller would always be the individual TOC.

Originally, yes. But once the data is lawfully transferred to the third-party supplier, they acquire data controller obligations.

 

[ForTheLoveOf]

Originally, yes. But once the data is lawfully transferred to the third-party supplier, they acquire data controller obligations.

By third-party supplier, are you referring to an agency that the TOC has outsourced customer service to?

 

[najaB]

By third-party supplier, are you referring to an agency that the TOC has outsourced customer service to?

Yes. I'm considering the situation where two TOCs outsource their customer service operations to the same supplier. Once lawfully transferred, the data becomes the responsibility of the data controller at the supplier. I'm less than convinced that (assuming that the CRM system is only accessible by the supplier) if Bob answers using one email address there's no breach, but if Bob answers using a different email address there is a breach.

 

[Bletchleyite]

Just to throw something out there, in many cases customer services functions are outsourced and it may be that TOC A and TOC B use the same provider. If that is the case I'm not sure that a breach has occurred since it's the same data controller.

That would still be a breach in my view. Only people within an organisation who need to process/view data should do so. Just because a piece of data is transferred to another organisation by "legitimate interest" or "contract" does not mean that it can be made visible without restriction to all staff of that organisation.

I don't mean the e-mail address makes any difference, but I would suggest that it would still be necessary to get back to the applicant with "This is not a valid claim for TOC A, however it would be for TOC B whose claims we also process. Would you like me to submit it for TOC B processing?" before doing so.

 

[najaB]

That would still be a breach in my view. Only people within an organisation who need to process/view data should do so. Just because a piece of data is transferred to another organisation by "legitimate interest" or "contract" does not mean that it can be made visible without restriction to all staff of that organisation.

I agree that it can't be made visible to all staff. However, if it is actually the same people who process the data for both clients then it's less clear that a breach has occurred as no data has been revealed (or potentially revealed) to any party who did not have permission and/or a lawful reason to access it.

 

[Bletchleyite]

I agree that it can't be made visible to all staff. However, if it is actually the same people who process the data for both clients then it's less clear that a breach has occurred.

Provided data (other than anonymised statistics) was not provided back to TOC B, I would probably agree - but it would have to be the case that it was a single processing system with all data in the same database. If it was segregated in any way, even if it was within the same group of staff, moving across the segregation would in my view be enough for a breach to have occurred.

Furthermore if it was a complaint rather than Delay Repay, at some point a member of TOC B staff is going to have to be involved to actually resolve it (unless they are just "resolving" it by paying the customer to get lost, which is in my book truly contemptible but very common) - at that point you definitely do have a breach.

 

[ForTheLoveOf]

Let's be realistic here though - even if it's a breach (and I happen to agree that, in certain circumstances, it might constitute a breach), the ICO has much bigger priorities. I'm not sure there would be much point in taking civil action, either, as you'd probably get nominal (read: £1) damages awarded, alongside a wasted costs order for bringing a case that might graciously be described as "unmeritorious" by the Judge.

 

[Bletchleyite]

Let's be realistic here though - even if it's a breach (and I happen to agree that, in certain circumstances, it might constitute a breach), the ICO has much bigger priorities. I'm not sure there would be much point in taking civil action, either, as you'd probably get nominal (read: £1) damages awarded, alongside a wasted costs order for bringing a case that might graciously be described as "unmeritorious" by the Judge.

Just because enforcement of a law may be impractical does not mean that Data Controllers don't need to be responsible citizens and stick to it, though. GDPR was brought in because too many organisations, particularly marketeers but also others, were taking liberties. I don't think we should therefore cut them any slack.

Other than those wishing to deliver customer service on a very tight budget (which is no way to deliver it), a quick email to the customer of "I don't believe your complaint is valid against TOC A because X, but we can process it via TOC B, do you want us to" before processing it as such would be appropriate. That in this case would be met with an appropriately curt "No, you do not have my consent to do this, if you read it properly my complaint is clearly against TOC A, please process it properly".

What I certainly do not accept, and would out of principle push the complaint as high as I could including things like SARs[1], is an organisation effecting a legally inappropriate transfer because they hadn't read my complaint properly. It's bad enough companies not reading complaints properly in the first place, let alone releasing my data to another organisation *because* they hadn't.

[1] Subject access requests are now free, and while I haven't done it yet, some people certainly do now use them as a legal means of "whacking" the target organisation with something awkward/costly to do rather than actually caring about reading the data. I know my house mate does do this, and he makes sure they give him everything they have including things that might be slightly awkward to get e.g. call recordings.

 

[ForTheLoveOf]

Just because enforcement of a law may be impractical does not mean that Data Controllers don't need to be responsible citizens and stick to it, though. GDPR was brought in because too many organisations, particularly marketeers but also others, were taking liberties. I don't think we should therefore cut them any slack.

Other than those wishing to deliver customer service on a very tight budget (which is no way to deliver it), a quick email to the customer of "I don't believe your complaint is valid against TOC A because X, but we can process it via TOC B, do you want us to" before processing it as such would be appropriate. That in this case would be met with an appropriately curt "No, you do not have my consent to do this, if you read it properly my complaint is clearly against TOC A, please process it properly".

What I certainly do not accept, and would out of principle push the complaint as high as I could including things like SARs[1], is an organisation effecting a legally inappropriate transfer because they hadn't read my complaint properly. It's bad enough companies not reading complaints properly in the first place, let alone releasing my data to another organisation *because* they hadn't.

[1] Subject access requests are now free, and while I haven't done it yet, some people certainly do now use them as a legal means of "whacking" the target organisation with something awkward/costly to do rather than actually caring about reading the data. I know my house mate does do this, and he makes sure they give him everything they have including things that might be slightly awkward to get e.g. call recordings.

Oh, I agree. Just saying that, much as the rules are the rules, if they aren't followed then there aren't always (appropriate) penalties.

 

[najaB]

Other than those wishing to deliver customer service on a very tight budget (which is no way to deliver it), a quick email to the customer of "I don't believe your complaint is valid against TOC A because X, but we can process it via TOC B, do you want us to" before processing it as such would be appropriate. That in this case would be met with an appropriately curt "No, you do not have my consent to do this, if you read it properly my complaint is clearly against TOC A, please process it properly".

I agree that would be the best way to handle it.

 

[WelshBluebird]

Having been involved with a fair bit of GDPR work thanks to my job, I am pretty damn confident that passing the complaint to another ToC (if appropriate and correct) would be covered under legitimate interest. After all if it is your interest that the complaint gets to the right place!