 |
| Image from Pixabay |
“Carprof and AA team use the General Data Protection
Regulation (GDPR),” the garage's letter read. I burst out laughing when I read
this. "Use".
They probably didn't mean it that way, but they wrote it
down a bit silly. Like all legislation, privacy legislation is not a candy
store where you only put the sweets you like best in the bag. Nor can you
ignore the GDPR, or exchange it for, for example, the privacy law of Guatemala
(a purely arbitrary example).
The special thing about the GDPR is that it is not a
national law – as its predecessor, the Dutch Personal Data Protection Act (Wbp)
was – but a European one (apologies if the designation 'law' is wrong in legal
speech, but what I mean to say is that there are rules that you have to comply
with and if you don’t you can be punished).
Earlier, I wrote about a Greek car rental company that
understood that I wanted my data removed after the rental period and had a form
for that. And this year I noticed that even in Italian hotels they were not
surprised that I did not hand in our passports, but only copies of them. In
Italy you have to be registered and they never do that at the hotel reception
at the very moment you’re checking in, so they want to keep your passport for a
while.
This year, they settled for a copy. I had brought a whole
stack of copies with me just to be sure, but I got everything back in good
order and so a single set would have been enough. On those copies I had made
our social security numbers illegible and written the text 'Copy' over the
photos. I noticed that the SSN is no longer on the front of the photo page in
the brand new passports of the children. That is a good adjustment, which is
completely in line with the GDPR principle of data minimization: do not include
more data than is necessary for the intended purpose.
What was the garage company trying to tell me with that
somewhat unfortunate phrase? That they have data about me and that they handle
it properly – in accordance with the law. And that they don't do crazy things
with it, such as selling it on to an advertising company. The fact that they
occasionally send me a brochure is inherent in the business relationship I have
with them (I think).
In terms of advertising, there is something strange going
on. I bought my car from the local Mitsubishi dealer five years ago. That
company has not been an official Mitsubishi dealer anymore for a few years;
they now work under the Carprof label. The new official Mitsubishi dealer lives
a few hundred meters down the road. And they also send me mail, in which they
state the type, registration number and year of manufacture of my car, and an
offer for that car if I buy a new one from them. I've never set a foot inside
their business. Apparently a car brand can request my data purely because I
have a car of that brand.
Car companies seem to cherish that data and (so?) they
don’t clean up. For many years I received mail from Peugeot, my previous car
brand. Until I asked them to stop. That too is an achievement of the GDPR: if
you ask for it, a company must delete your data. And no, that does not apply if
you have ongoing obligations to that company.
A company cannot choose to use the GDPR; they simply have
to comply with it. As a private individual, however, you actually can make use
of the GDPR. By knowing your rights and applying them. For example, by
requiring access to what data a company has about you, having incorrect data
corrected and data removed. The latter is also referred to almost poetically as
'the right to be forgotten'. But if you like all that attention, you can leave
it that way. No one is forcing you to use the GDPR.
And in the big bad world…
This section contains a
selection of news articles I came across in the past week. Because the original
version
of this blog post is aimed at readers in the Netherlands, it contains some
links to articles in Dutch. Where no language is indicated, the article is in English.
- Even outside of Europe having old hard disks disposed of by just any company isn’t considered good practice.
- Spoofing
and friend fraud cost us a lot of money. [DUTCH]
- Fortunately,
phishing sometimes also costs the criminal.
[DUTCH]
- these
two professors are strongly against the use of the public cloud by the Dutch
government. [DUTCH]
- we see more and more examples of supply chain attacks.
- it might not be such a good idea to connect your swimming pool to the internet.
- American Airlines leaked customer and employee data after a successful phishing scam.
- always
be
careful
where you place the comma. [DUTCH]
- a
company sometimes moves due to new legislation in a country. [DUTCH]
- Windows
11 warns you if you want to save your password in an insecure file. [DUTCH]
- multi-factor
authentication is an important measure, but not a foolproof one. [DUTCH]
.jpg)
No comments:
Post a Comment