Back to Help and Support
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
1

Ask

2

Reply

3

Solution

Vodafone and GDPR Failure

CHH
2: Seeker
2: Seeker

‎27-06-2019 12:38 PM

I sent a subject access request via email to the you on the 17th of May, as per the below:

"To Whom It May Concern:

I am hereby requesting access according to Article 15 GDPR. Please confirm whether or not you are processing personal data (as defined by Article 4(1) and (2) GDPR) concerning me.

In case you are, I am hereby requesting access to the following information pursuant to Article 15 GDPR:

  1. all personal data concerning me that you have stored;
  2. the purposes of the processing;
  3. the categories of personal data concerned;
  4. the recipients or categories of recipient to whom the personal data have been or will be disclosed;
  5. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  6. where the personal data are not collected from the data subject, any available information as to their source;
  7. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for me.

If you are transferring my personal data to a third country or an international organisation, I request to be informed about the appropriate safeguards according to Article 46 GDPR concerning the transfer.

[Please make the personal data concerning me, which I have provided to you, available to me in a structured, commonly used and machine-readable format as laid down in Article 20(1) GDPR.]

My request explicitly includes any other services and companies for which you are the controller as defined by Article 4(7) GDPR.

As laid down in Article 12(3) GDPR, you have to provide the requested information to me without undue delay and in any event within one month of receipt of the request. According to Article 15(3) GDPR, you have to answer this request without cost to me.

I am including the following information necessary to identify me: (deleted for privacy)
If you do not answer my request within the stated period, I am reserving the right to take legal action against you and to lodge a complaint with the responsible supervisory authority."

 

The deadline according to the GDPR regulations was to provide me the information by the 18th June. As of today I have still not received the information requested.

 

In addition to this you have repeatedly tried to mislead me into believing that you have 30 working days to provide the information. The regulations as stated on the ICO website, quite clearly says one calender month: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-r...

 

You have also tried to lead me to believe that I have to fill out your form and follow your processes for vodafone to be able to begin processing the information requested. Again this is untrue, all I needed to do was to provide a verbal request or even a request via social media. I have in this instance provided a written request via email. All as stated within the regulations on the ICO website: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-r...

 

I have been informed that your staff have filled out the form for me, after I phoned to find out where the information was, After the month deadline, so now I have to wait another month, as per your internal processes.

 

Why does Vodafone feel as though they can flout the regulations in regards to the GDPR and do their own thing. Yes, you may have a process or policies internally, but if this process does not satisfy the requirement of the GDPR then the processes are not up to scratch!

 

I have since opened a complaint with you about this whole issue, and as advised by the ICO I will be making a complaint direct to them should the requested information not be provided to me within the extended deadline, at my discretion, of the 3rd of July.

 

0 Thanks
9 REPLIES 9

Mark
Community Manager
Community Manager

‎27-06-2019 02:32 PM

I'm sorry to see there's been a delay in completing your SAR @CHH. I'm sure we can get this sorted for you. As we'll need access to your account to do this, please contact us via Facebook at Vodafone UK, or on Twitter using the handle @VodafoneUK. To help us provide you with the most relevant information, please include a link to this thread in your message.

0 Thanks

CHH
2: Seeker
2: Seeker
In response to Mark

‎27-06-2019 02:59 PM

Mark - The thought of providing you with my Facebook or Twitter handle after having gone through this process absolutely terrifies me.

 

I have already gone through your complaints procedure, why would it take longer via that method than contacting vodafone via social media? Is it because there is more exposure on social media???

0 Thanks

Mark
Community Manager
Community Manager
In response to CHH

‎27-06-2019 04:15 PM

I'm sorry to hear you feel this way @CHH. As we're unable to discuss your account publicly, we'll be unable to help you further with this here.
If you change your mind, contact us through PM or DM using the links I've provided and we'll be happy to help.

0 Thanks

CHH
2: Seeker
2: Seeker
In response to Mark

‎03-07-2019 04:01 PM

Can someone at Vodafone confirm how a GDPR data access request needs to be done according to Vodafone please?

0 Thanks

Josh
Moderator (Retired)
Moderator (Retired)
In response to CHH

‎04-07-2019 02:28 PM

@CHH If you're looking to ask for a Data Acess Request, you can do so by completing our SAR request form Here

0 Thanks

CHH
2: Seeker
2: Seeker
In response to Josh

‎05-07-2019 10:39 AM - edited ‎05-07-2019 12:05 PM

Ok, and there it is. This has been my complaint all along, your processes are not adequate to meet the requirement of the GDPR.

 

The regulations state, as quoted:

"However, even if you have a form, you should note that a subject access request is valid if it is submitted by any means, so you will still need to comply with any requests you receive in a letter, a standard email or verbally.

 

Therefore, although you may invite individuals to use a form, you must make it clear that it is not compulsory and do not try to use this as a way of extending the one month time limit for responding."

 

Vodafone as a company either do not want to or are not able to respond, adequately capture or process a SAR request in any other form and insist I have to use their form. You have been using this as an excuse, clearly against the regulations, as to why my initial email request in my original post was not acted upon and the information I am due to receive is over two months from my initial request.

 

Sort it out!

 

Edit: Having read through the page you linked, https://www.vodafone.co.uk/gdpr-sars-form/, no where on it does it say say this is not the only way to access your own information. Nor does it say anything along those lines on the guidance notes for filling out your SAR form, https://www.vodafone.co.uk/cs/groups/configfiles/documents/contentdocuments/vftst042750.pdf

 

You do realise as a company this goes entirely against the regulations right? Or are you so arrogant you just don't care???

0 Thanks

Colleen
Moderator (Retired)
Moderator (Retired)
In response to CHH

‎05-07-2019 06:51 PM

@CHH I completely understand your frustration on this matter. You most definitely should've received the information you requested by now. We advise to contact us using the form, as this ensures the customer supplies us with all of the information we need, in order to be able to help them as effectively and efficiently as possible. The risk of not completing the dedicated form is that vital information may be missed, as the customer may not necessarily know they need to include it. I'm not talking about you personally but many customers contact us on a daily basis to request a SAR. The form is the simplest and most customer friendly way of requesting this.
On the Guidance notes link you've provided, it does mention this: 

What you need to provide
Please fully complete our SAR form – online or on paper – clearly stating what information you’re looking
for. And provide all your contact details so our team can contact you about your SAR.
Although it says it can be completed using paper, the initial 'form' would still be the template to follow. 

I understand you've already raised a complaint regarding this - I can assure you that all processes and the experience you've had, will be considered and handled accordingly. Please continue to keep in touch, using the channel in which you've raised your complaint. 

0 Thanks

CHH
2: Seeker
2: Seeker
In response to Colleen

‎07-07-2019 05:30 PM

Thank you Colleen.

 

I'd like to add that the onus is on Vodafone to request further information should you require it, not the customer. As far as I know everyone on your phone and online help teams are all unable or unwilling to accept a verbal request for a SAR, which again is clearly against the regulations. All of those I have spoken to insist on you filling out the form, which I reiterate is not a requirement and goes against the regulations. Pointing out that this is indeed against the regulations and even sending them the link to the relevant section on the ICO website does nothing to alter their perception. This is quite clearly a failing in Vodafone's proccess and training procedure! Any customer facing operative within your organisation should be able to accept, log and accurately process a SAR request made in any way. Not my thoughts but this again is according to the regulations. If they cannot then there is a failing in your processes.

 

I suspect I am not the only one to have been misled by Vodafone as to how, according to the GDPR, they can requst a SAR. That has been the most frustrating part. Providing you with facts and quotes verbatim from the regulations doesn't seem to do a lot. Which has lead me to believe you as a company couldn't care less about the regulations.

0 Thanks

BenThomas1
2: Seeker
2: Seeker
In response to CHH

‎23-07-2019 11:08 AM

The penalties incorporate a 7.5% reduction to reflect Vodafone’s agreement to enter into a formal settlement, which will save public money and resources. As part of this agreement, Vodafone admits the breaches. It has also reimbursed all customers who faced financial loss, but for 30 it could not identify, and made a donation of £100,000 to charity.

0 Thanks