BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?
No donation is too small. If every visitor before 31 December gives just £1, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!
 |
[Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback] | |
Irish Data Protection Commission Case Studies |
||
|
You are here: BAILII >> Databases >> Irish Data Protection Commission Case Studies >> Retention of personal data provided online [2008] IEDPC 13 URL: http://www.bailii.org/ie/cases/IEDPC/2008/13.html Cite as: [2008] IEDPC 13 |
||
[New search] [Printable RTF version] [Help]
Retention of personal data provided online [2008] IEDPC 13 (31 December 2008)
In January 2008, I received a complaint from a data subject in relation to the retention of his personal data by X. The data subject had provided his credit card details and his email address to X. for the purpose of a particular transaction in 2006. However, in October 2007 and January 2008 he received emails from X. regarding the cancellation of a concert for which he had not purchased a ticket. The data subject was concerned that his personal data had been retained by X. for such a long time. He asked X. to remove his details from its database and, at the same time, he complained to my Office.
On receipt of the complaint, my Office commenced an investigation into the matter. X. holds an extensive amount of personal data including credit card details. At the outset we were concerned that the organisation might not have appropriate procedures in place for deleting personal data when no longer required for the purpose for which it was given. A subsequent response from X. stated that the emails sent to the data subject were customer service emails regarding the cancellation of an event rather than marketing emails. I accepted this. It explained that the first email was sent in error and that the purpose of the second email was to inform the recipient that the previous email had been sent in error and that he should ignore or delete it if he had not purchased tickets to the event in question. X. informed us that steps had been put in place to ensure that such an error would not occur again and it wrote to the data subject to confirm that it had deleted all of his personal data from its records in accordance with his request.
In the course of the investigation my Office requested a copy of X's data retention policy and highlighted issues in relation to the privacy policy statement on its website. Having reviewed X's privacy policy we found that it referred to UK data protection legislation and made no reference to Irish data protection legislation. As X. is registered in Ireland, we considered it appropriate that a data protection notice relevant to Ireland should be published on its website.
In its response, X. provided my Office with a detailed account of the type of personal data it collects, the purposes for which it is used and the retention policy for such data. In relation to its privacy policy statement lacking a data protection notice for Irish customers, X. indicated that the omission was an oversight on its part and it supplied my Office with a copy of a draft privacy policy statement for Irish customers. X. also informed my Office that it only sends performer alert emails to customers who have previously bought tickets and that such emails are only sent in respect of "similar products or services" as they notify customers of future performances by artists for whom they had previously bought tickets. It also pointed out that X. offers the customer in each message an easy and free opt-out from receiving future messages. My Office was still concerned about the length of time X. retained personal data such as credit card details. X. informed my Office that it retained personal data for sixteen months. However, my Office considered that twelve months was a more appropriate retention period and it advised that, if there was no activity on a customer's account during that time, all details should be deleted. In relation to the storage of customers' credit card details, we advised that it would be more appropriate for customers to opt in to have their details retained rather than the existing practice of requiring a customer to uncheck a box when he or she purchases a ticket. X. agreed to implement my Office's recommendations.
I am satisfied that X. takes its data protection responsibilities seriously and I was encouraged by the cooperative manner in which it addressed the issues and implemented my Office's recommendations.
It is important that data controllers who process personal data via websites are fully aware of their obligations in relation to personal data. Websites with customer interfaces should clearly outline to potential customers how their personal data will be processed in future and for how long it will be retained. No data subject should be surprised to find that their personal data continues to be processed long after initially inputting their information on a data controller's website.
