Update: Dixons Carphone data breach – do you know your rights?

Hi Fredables, given the recent introduction of the GDPR, you may now be in a strong position, from which you can order Currys to sort of this mess.

I found this guidance on customers’ GDPR rights here, in an article at eureka.eu.com/gdpr/know-your-rights/

2. Right to access
Individuals looking to scrutinise the use of their data by businesses will have the ability under the regulation to access that data and verify the lawfulness of its use. This means that, at any time, data controllers and teams must be able to confirm to individuals that their data is being processed, provide access to all of that data and also any supplementary information which was provided to them at the outset (wrapped up in the Right to Be Informed).

3. Right of rectification
Simply, this article in the data regulation means that any request by an individual to correct inaccurate information held by your business must be done swiftly, clearly and without undue delay.

4. Right to erasure
Once their data has been obtained, there are six reasons that an individual may request for their data to be erased – enacting the ‘Right to Be Forgotten’:

a. Their data is no longer necessary;
b. The individual withdraws consent due to unlawful processing or that their data falls into a special category;
c. Where they may object under the ‘Right to Object’ (more below);
d. The data has been unlawfully processed;
e. There is another legal obligation due to an EU member state law;
f. Or the data relates to consent with regard to a child.

If there is no need for Currys to keep any of your details, then I think you are entitled to demand their deletion.

If they need to keep some records of your custom, then you should insist that they correct the data they hold until it is correct.

I think the best way of asking for that would be by proper printed (or typed) letters, with proper wet signatures, if you can manage that. (I had to resolve a similar situation with Virgin a few years back. It took three letters before they finally got it right.)

That is a very useful summary and is worth bookmarking.

I’m aware of that and very familiar with the Information Commissioners Office & the GDPR. Particularly the bit on erasure.
I’ve quoted GDPR chapter & verse at Currys. I’ve demanded they remove it already, as I made clear. I’m not in a strong position and they are using the GDPR to justify their demand for a copy of a current passport and bank statement. They simply refuse to remove it without those documents they say they ‘cannot’ do it otherwise.

Fredables – thanks for that clarification.

Have you considered talking to the ICO to see if you can appeal Currys refusal via them?

Fredables, I’m sure you are aware of all this, but maybe for others:

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/

Individuals can make a request for erasure verbally or in writing.

Can we ask an individual for ID?
If you have doubts about the identity of the person making the request you can ask for more information. However, it is important that you only request information that is necessary to confirm who they are. The key to this is proportionality. You should take into account what data you hold, the nature of the data, and what you are using it for.”

So “verbally or in writing” seems to be sufficient, and even if they have doubts about your identity, given the relative insignificance of the data they hold, asking for a passport and bank details seems wholly disproportionate.

You could contact sebastian.james@dixonscarphonegroup.com

Appreciated Malcom, you’re kind 🙂
I have repeatedly pointed this out to them. They read from a script & ignore most of the points I’m making. It is ridiculously disproportionate. It has been going on for over a month now. I’ve asked for it to be escalated to a manager & that request isn’t even acknowledged. They just cut & paste their policy at me.
The phone people (teamknowhow) say they passed it to the “websars” (data? )team & there is nothing they can do because it is separate to them & so they say the buying of the item only counts to the phone team as proof not to the “websars” team

They delivered a very large kitchen item & installed it. They know full well it is me.

I’ve even googled to see if there is a way to (within the law) get them to ban my account so they’ll remove all my details then. There isn’t, & I hate breaking rules anyway

PS where is the subscribe to this thread button that the help guide says is under each post, please?

When you open up the “reply” box, before you post it, click on the “Follow this conversation by email” link in red, at the bottom left.
Best of luck.

Brilliant I never would have found that 😀

Already involved them, they appear to be taking a minimal interference approach. ie none Getting a strong impression that they will not intervene & they are aware of all the communications between Currys & I.

Under the GDPR, Currys PC World must have nominated a data protection officer. Have you been in contact with him or her? Contact details should appear in the company’s Privacy Policy Statement.

I’ve scrutinised all their T&C’s & Privacy Policy pages already.
I had to beg & beg to get them to even give me the email for the data team. So I would have proof of the correspondence (as opposed to webforms) They finally gave me the email address for the “websars” team. They refuse point blank & claim ignorance of anything further.

In CPCW’s case it should be a Data Controller, I’d have thought.

Having just retired from the UK arm of a large corporation, I can report that the arrangements introduced there for GDPR compliance were introduced via a fairly authoritarian dictate, in a bit of a rush and on the basis of simple but strict local rules.

So low level minions in Currys may have experienced a similar process and may not have any “wiggle room” within their company processes.

Hence I agree that Fredables’ case may require escalation to higher authorities. Even so, a short term win may not be possible, especially if the ICO are unwilling to help.

It would be interesting to hear whether or not Which? themselves will take any interest in this, and similar cases.

I would be happy if they did but I can’t imagine that they would get involved or even notice this

Sebastian James retired as CEO in January. I believe that it’s now Roger Taylor, who nearly got a letter from me when the company was messing me around earlier in the year. They eventually stopped insisting that I should contact the manufacturer of a product that was under guarantee and replaced it.

You are taking on one of the most challenging companies I know, Fredables, and I wish you success.

I have no hope.

🙂 You can do it.

There are two companies that I would like to teach how to run a business. The other one sounds like a river in South America.

You might be right Ian. My reading of the ICO’s guidance notes indicated that all organisations that handle personal data will need to nominate a data protection officer and those with extensive data management functions will need to have a data controller who determines the purposes and means of processing personal data. The DPO is responsible for the protection of data and for providing access to it by persons whose data is held by the organisation. I have noticed that different models have been used by organisations, that most organisations have woken up to this late even though they knew it was coming, and that some organisations [guess who] are being very disobliging when it comes to implementation.

Was it not Currys PC World that belatedly discovered in June 2018 that it had experienced a massive data breach during 2017? They need to get their house in order without further prevarication. Full compliance with the GDPR would be a good starting point.

I don’t understand why this company’s dubious practices don’t get more exposure and enforcement.

I agree with Derek’s comments. I have lost confidence in the ICO over various matters where they seem loath to exercise their considerable powers of enforcement.

This comment was removed at the request of the user

Yes I know, as I clearly stated above first line in brackets (police etc) and it isn’t ALL govt services.
As BT are the ones who place a marker on the line to tell the receiving equipment to withhold the number then it quite obvious they know, they own the network.

Oooh! Tetchy. I think Duncan was just trying to explain, Fredables, for the benefit of all readers here.

This comment was removed at the request of the user