I was hoping something would change with the introduction of GDPR on May 25th. I was certainly not expecting that consumers would send a lot of requests to companies but I was hoping, at least, that bad practices would decrease under the pressure of the Data Protection Authority. I’m afraid I was wrong.Read also: 30 days to read privacy policies: consent fatigue will make GDPR ineffective
Here’s a true story that shows that the Data Protection Authority (in Belgium) doesn’t show the expected proactiveness I was hoping to see. In fact their lack of reactivity will ensure that bad behaviors continue.
Step 1 : a sms received from an unknown number redirecting to a chatbot
On a Wednesday morning I received an intriguing sms from an unknown number. I didn’t quite understand the content of it (see screenshot below). A link was included that brought to a chatbot (see screenshot). This seemed very odd to me.
I had never heard of the company before (or at least I couldn’t remember it) and found it very odd to receive a sms (not mentioning talking to a bot).
I decided to call the company (it appeared later to be a recruiting firm). And surprizingly they knew me very well. They had my phone number, all my personal details and a complete copy of my CV in THEIR database.
They told me they had contacted me through the Monster platform. I checked and this was true but I had turned down their proposal.
Yet it seemed perfectly normal to them that because I had a profile on Monster they had the right to copy my data in their own CRM.
Step 2 : Monster Belgium not aware of GDPR and not knowing what to do
The next step brought me to contact Monster and to bring to their attention that one of their clients was stealing data from them in violation of their confidentiality policy.
Surprizingly they found it perfectly normal. The employee who answered my complaint wasn’t aware of GDPR, didn’t know what it meant and was unaware of the steps to take.
I decided to undertake those steps for them and filled an official complaint with the Data Protection Authority.
Step 3 : the disappointing answer of the Data Protection Authority (DPA)
I received the DPA’s answer after 3 weeks, stating that I should contact the company and asked that my data be removed.
In case the problems would persist I could contact the DPA again, the letter said.
The Data Protection Authority’s answer shows that consumers are in fact not better protected than before and that bad and unlawful practices will continue.
What was expected from the DPA in that case was an investigation to find out how personal data could be retrieved from one trusted system (Monster) to be copied in another one without prior consent of the consumer. What was expected from the DPA was they stop this illegal treatment.
Rather they chose to look elsewhere and not to care. This is extremely disappointing.