Update: Dixons Carphone data breach – do you know your rights?

That is a very useful summary and is worth bookmarking.

I’m aware of that and very familiar with the Information Commissioners Office & the GDPR. Particularly the bit on erasure.
I’ve quoted GDPR chapter & verse at Currys. I’ve demanded they remove it already, as I made clear. I’m not in a strong position and they are using the GDPR to justify their demand for a copy of a current passport and bank statement. They simply refuse to remove it without those documents they say they ‘cannot’ do it otherwise.

Fredables, I’m sure you are aware of all this, but maybe for others:

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/

Individuals can make a request for erasure verbally or in writing.

Can we ask an individual for ID?
If you have doubts about the identity of the person making the request you can ask for more information. However, it is important that you only request information that is necessary to confirm who they are. The key to this is proportionality. You should take into account what data you hold, the nature of the data, and what you are using it for.”

So “verbally or in writing” seems to be sufficient, and even if they have doubts about your identity, given the relative insignificance of the data they hold, asking for a passport and bank details seems wholly disproportionate.

You could contact sebastian.james@dixonscarphonegroup.com

Appreciated Malcom, you’re kind 🙂
I have repeatedly pointed this out to them. They read from a script & ignore most of the points I’m making. It is ridiculously disproportionate. It has been going on for over a month now. I’ve asked for it to be escalated to a manager & that request isn’t even acknowledged. They just cut & paste their policy at me.
The phone people (teamknowhow) say they passed it to the “websars” (data? )team & there is nothing they can do because it is separate to them & so they say the buying of the item only counts to the phone team as proof not to the “websars” team

They delivered a very large kitchen item & installed it. They know full well it is me.

I’ve even googled to see if there is a way to (within the law) get them to ban my account so they’ll remove all my details then. There isn’t, & I hate breaking rules anyway

PS where is the subscribe to this thread button that the help guide says is under each post, please?

When you open up the “reply” box, before you post it, click on the “Follow this conversation by email” link in red, at the bottom left.
Best of luck.

Brilliant I never would have found that 😀

Already involved them, they appear to be taking a minimal interference approach. ie none Getting a strong impression that they will not intervene & they are aware of all the communications between Currys & I.

Under the GDPR, Currys PC World must have nominated a data protection officer. Have you been in contact with him or her? Contact details should appear in the company’s Privacy Policy Statement.

I’ve scrutinised all their T&C’s & Privacy Policy pages already.
I had to beg & beg to get them to even give me the email for the data team. So I would have proof of the correspondence (as opposed to webforms) They finally gave me the email address for the “websars” team. They refuse point blank & claim ignorance of anything further.

In CPCW’s case it should be a Data Controller, I’d have thought.

I would be happy if they did but I can’t imagine that they would get involved or even notice this

Sebastian James retired as CEO in January. I believe that it’s now Roger Taylor, who nearly got a letter from me when the company was messing me around earlier in the year. They eventually stopped insisting that I should contact the manufacturer of a product that was under guarantee and replaced it.

You are taking on one of the most challenging companies I know, Fredables, and I wish you success.

I have no hope.

🙂 You can do it.

There are two companies that I would like to teach how to run a business. The other one sounds like a river in South America.

You might be right Ian. My reading of the ICO’s guidance notes indicated that all organisations that handle personal data will need to nominate a data protection officer and those with extensive data management functions will need to have a data controller who determines the purposes and means of processing personal data. The DPO is responsible for the protection of data and for providing access to it by persons whose data is held by the organisation. I have noticed that different models have been used by organisations, that most organisations have woken up to this late even though they knew it was coming, and that some organisations [guess who] are being very disobliging when it comes to implementation.

Was it not Currys PC World that belatedly discovered in June 2018 that it had experienced a massive data breach during 2017? They need to get their house in order without further prevarication. Full compliance with the GDPR would be a good starting point.

I don’t understand why this company’s dubious practices don’t get more exposure and enforcement.

I agree with Derek’s comments. I have lost confidence in the ICO over various matters where they seem loath to exercise their considerable powers of enforcement.

BT knows any telephone number called to its organisation , this was available years ago on system X digital exchanges Fredables . All “government services” including the police have access to this.

Yes I know, as I clearly stated above first line in brackets (police etc) and it isn’t ALL govt services.
As BT are the ones who place a marker on the line to tell the receiving equipment to withhold the number then it quite obvious they know, they own the network.

Oooh! Tetchy. I think Duncan was just trying to explain, Fredables, for the benefit of all readers here.

Thank John , I was a bit hurt by that.