GDPR fun

Got this email through this morning from a company I haven't used since 2015, and even then it was a one off - I hadn't heard anything from them at all since then. They weren't even hacked, they seemingly just gave away my data to a journalist.

I feel cross. Should I be cross? Is there an easy way I can check which companies still hold my data and could be spaffing it out randomly?

Dear pizzarat,

This morning we became aware that some of your personal data was accessed by a third party.

The personal data in question includes your name, postcode, telephone number and email address that you provided in relation to your account. No credit card, payment data or your password was accessed as part of the breach.

We wanted to first reassure you that as soon as we became aware of the breach, we took steps to fix it and can confirm that the data is protected.

At the moment it appears that the data was accessed by a security researcher who passed it on to a journalist. If this is the case, the risk of phishing emails or use of your data is substantially lower, however we wanted to alert you as soon as possible and will continue to investigate.

We have posted an FAQ on the implications and guidance around what to do now (read here), however we recommend that you are vigilant for potential phishing emails, particularly any that appear to come from DaftpotsRus or DaftpotInc. We will never contact you to request personal or confidential information including card or payment details.

We take the security of our users' personal data very seriously and we offer you our sincere apologies that this has happened.

If you have any questions, please do not hesitate to contact us

I'm reading that as: the security researcher is not an employee of the org and has penetrated their records passing info to journalist to report on breach.

So they have been caught out storing personal data in an unsafe way- I'd be cross.

Edit- they were hacked, but by a 'researcher'.

I see, boo.

I got the same email. I know your secrets.

https://techcrunch.com/2018/11/27/urban-massage-data-exposed-customers-creepy-clients/
?

Maybe they only kept the details of the sex pests?

Has anyone here filed a complaint regarding GDPR non compliance? I just had an animated to and fro with Virgin media. I wanted a copy of my previous phone call recordings to dispute a charge they had placed on my account. The call center worker flat out said "no we can't do that for data privacy reasons". I then asked to stop being recorded to which I was told they don't have the option to not record my phone call. I get that Virgin probably outsources their call center work to an external company in India, but they're effectively acting as a proxy for Virgin and I expect such a large company to be better equipped to handle the new GDPR laws.

No-one is set up for it. The best most companies have done is work out what the data retention should be, they'll figure out the provision of data question only when law suits arise.

Besides, you can't just ask verbally (which is what you make it sound like), you need to do so in writing with proof that you are the subject in question.

I actually managed to get a manager at the call centre to log my request for the recordings and will have them emailed to me in 30 days. I was fully prepared to have to submit something in writing to their complaints department. I guess the thing that irked me was the blatant refusal to cease the call recording and the total lack of understanding by the manager I spoke to about the data protection laws that Virgin must adhere to. It definitely seems that Virgin haven't bothered to update their call centres on the new laws and will only improve processes once complaints/lawsuits are raised.

Raise a complaint with the ICO - that's what they're there for.
https://ico.org.uk/make-a-complaint/

I guess the thing that irked me was the blatant refusal to cease the call recording

I'm not sure you have the right to ask that.

It could be considered part of the provision of service and protections for their staff from potentially abusive customers. As well as putting them at increased legal liability when a customer then claims "But your rep said X" and there is no recording to prove that.

My understanding is that you must now provide consent to a data processing act which a call recording would constitute. Most telcos' audio recordings state the recording is for "training and quality purposes" (i.e. there is no legal mandate for them to record the call). If this is the stated purpose of the data processing act they must allow you to opt out.

It's clear as mud I suppose. If Virgin had handled my initial complaint a bit better I'd have cut them more slack but they've been dicks so I'm holding them accountable.

I don't think you can necessarily ask them to just stop doing stuff (that is required for them to provide the service) because you don't agree with it. They just need to store, utilise and release it correctly

Does anyone have a good knowledge of GDPR issues in photography? My main involvment is doing occasional architectural photography. In this scenario where the 'models', or people caprured incidentally in the photos, without them being the main subject, would I have to get permission from each person in order to be able to publish the photos?

Depends on where you were when taking the photo, if on public or private ground, I believe.

If on public ground, you are fine. On private, you would have to get permission for landowner first. If the photo is an instruction from the landowner, then you are in the clear.

This is my understanding

No (as long as you [and everyone else] is in a public place).

https://www.blpawards.org/competition/photo-rights

"
In the UK you do not have to get the permission from people you photograph whilst they are in a public place. Using and selling images of people in a public place is usually acceptable if undertaken with a view to being used for any journalistic or artistic material.

However if you intend to sell the image commercially or use it for a commercial purpose (for example to promote a product) it is normally recommended to get people to sign a model release form - see below for more about why this is important.
"

No necessarily public, quite often private residential buildings or colleges. The latter is probably a minefield with the potential involvement of minors.

"If you are taking photographs from private land, you need to have the land owner’s permission. Taking a photo of a person where they can expect privacy, such as inside their home or garden, is likely to cause a breach of privacy laws."

No one walking down the street can expect privacy (even though they may want it) which is why the paparazzi exist. Often seen lurking outside of shops, because someone they want to pap is in there (and private property)

There are other exceptions, hospitals, clinics, etc. fall under the expectation of privacy.

If there are minors or vulnerable adults involved, you may need to have passed a CRB check.

While working for two different local authorities I had to get advanced/enhanced CRB checks as I was going be around minors and vunerable adults

Anybody clued up on GDPR here?

I'm going through a process at work, in which I'm appealing a dismissal result. It's a bit of a two part process (and a long story), but the GDPR part is:

1. Work has always contacted me by telephone and email. However all work emails are spammed automatically by gmail. I was in contact with HR through email (after whitelisting the people in contact) and everything was fine until they went cold. Apparently after 12 weeks of not contacting me, somebody else from HR sent me an email which apparently ended up in my spam folder, which I pretty much never check unless I'm missing something. HR then sent letters, however I moved home months earlier (first day of the November lockdown) and never updated HR with my new address. I completely forgot to. Roll on many months and HR are writing to me at my old address obviously receiving no reply. And I have no idea about these letters. The letters were over the course of 4-5 months and ended up in my medical records being sent to my old address, and resulted in myself being dismissed. I understand that I'm partly to blame for not updating my address with HR, but at what point is it reasonable for them to keep sending letters without a reply, and not pick up the phone and call me? Or to even contact my emergency contact? This was during the height of covid and I could have been dead many times over.

2. In the second part, I'm appealing the process I've been put through. Due to the shit show of a HR Director who was my line manager and caused this situation, an external consultant has been hired to advise on the process (the HR Directors best mate). And this person has just called me on my private mobile number to ask me some questions about my appeal pack. The call was completely unexpected, and I'm a little concerned that this person has my name, telephone, address, email address, date of birth and medical records. As far as I'm aware, whenever I sent data to somebody else it had to be the bare minimum of what was required for them to perform the role required. I can't understand how these details are necessary under legitimate interest? And if I'm not long an employee at the moment, should I not have consented for my medical records to be sent to a third party or at least informed?