3

I'm an employee (software developer) for a company that acts a data processor, and the company that is a client and data controller has requested a feature that I find questionable.

The purpose is to provide a client terminal inside a point of business that would function as follows:

  1. The customer arrives to the shop,
  2. the customer presses 'Start' button on a touch screen,
  3. enters her phone number,
  4. after this she is to be shown a greeting that includes her given name,
  5. customer selects what services she wants in order to complete the service order,
  6. and customer is called out by her given name when she is to be serviced.

My assumption is that should not be done, and if not illegal, then this would be at least seen rather bad manners. My assumption is based on the fact that the personal data (given name, existence of customership) may be handed to someone that has no legal right to see that data, and it might be impossible to name that person later on if needed.

As far as I can see it, if someone enters her phone number incorrectly, or for some reason enters a phone number that belongs to someone else, then it is possible that the given name belonging to someone else is shown.

Also due to the location (population 5,5 million), some foreign given names can be rare to such extent that they are unique within the country.

Since the phone numbers are recycled, it might be possible that a new customer sees the given name of previous owner of the number if the previous owner has also been a customer.

I doubt there is any other possible harm to customers expect possible loss of privacy that doesn't cause tangible damage, the services provided are not associated to sensitive matters.

So, is giving out customer name and implied existence of customership legal?

Edit 1 The phone number in question is probably expected to be a personal mobile phone number. It should be possible to verify that a phone number is a mobile phone number. I don't know if people sharing a mobile phone has been taken in to consideration.

JSalasukuinen
  • 131
  • 6

3 Answers3

3

Art.5(1)(f) contains:

  1. Personal data shall be:

    (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

Art. 25 and Art. 32 also contain similar requirements. What is appropriate has to be determined, as the GDPR does not contain an exact definition.

However as processor you don't have to worry about that, as Art.5(2) Contains:

  1. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).

But you need to inform the controller if you think an instruction violates the GDPR. But it is up to the controller to decide what to do. Art. 28(3) requires a contract between controller and processor which requires the processor to:

  1. (...) that the processor:

    (c) takes all measures required pursuant to Article 32;

    (h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

With regard to point (h) of the first subparagraph, the processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions.

But again, the controller is responsible for this contract.

wimh
  • 2,925
  • 12
  • 16
1

I agree with wimh's answer. There are some points to add:

  • a phone number is not unique; one number may be shared by several customers in the same household. This is the fundamental problem with the proposal.

  • loss of privacy may cause serious damage. If Mrs X logs on and sees Mr X's transactions, she may wonder where the item that that Mr X bought, as she hasn't seen it round the house or received it as a gift. If the item is lacy ladies' underwear in Mr X's size, Mr X's privacy has been invaded, his marriage may be placed at risk, he may suffer financial loss as a result, and the data controller may be liable

  • even if the item is not lacy underwear, a transaction history may show that Mr X was not where he told Mrs X he had been at a certain time/date

  • a person in possession of a phone number associated with another person (Mr Y) may be able to determine that the telephone number is actually held by an adult in the name of X. Even if the system does not store and display address data, disclosing the name of X may be sufficient to enable Y's home address to be traced. This may be in breach of a court order protecting a person from harm or domestic abuse, especially if Y is a juvenile.

Owain
  • 2,035
  • 11
  • 9
0

Within the company premises/ office/ shop, as long as there is a two-factor authentication (e.g. phone number and email, not only phone number) it is a matter of Service requirements versus Data Subject's Consent versus Risks. Even if there are some rare names, as long as you do all within your power to ensure that the person Logging in is the Data Subject via such two-factor authentication method the only thing you will "enable to the public" who is on-site is to cross-reference a "name" with a face... therefore the risk towards the Data Subject is Low. I wouldn't go as far as saying this scenario represents a non-compliant point.

Rui Freitas Serrano
  • 554
  • 3
  • 9