BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?
No donation is too small. If every visitor before 31 December gives just £1, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!

 

This personal data security breach involved two car showrooms based in the same locality. Garage A notified this Office of a data security breach under the Code of Practice. Garage A was alerted to the fact that one of their customers had received a marketing letter from a former employee who was now working for Garage B. The letter stated that the employee had moved to a different employer and was promoting Garage B.

 

Our investigation into this matter focussed on the issues of Garage A failing to keep secure the personal data that it held and that of Garage B processing personal data for which it had no consent to process.

 

When we contacted Garage B in relation to their processing of data relating to customers of Garage A, Garage B stated that the data had been contained within the diary of the new employee. The employee had used this data to write to individuals with whom he had dealt with as an employee of Garage A. It was clear that Garage B had no consent from the individuals to process their data or to send marketing communications. Garage B also informed my Office that the data in question had now been destroyed.

 

Our Office also examined the data protection provisions in the employee contract of Garage A. The contract referred to the use of business data. We recommended to Garage A that the contract be amended to include specific reference to the use of personal data to prevent any ambiguity.

 

In certain situations that have come to our attention, there appears to be a misconception by some employees that the customers are their customers rather than that of the data controller, i.e. the employer. Data controllers must be aware that where they process data which has been brought in to the organisation by a new employee from their previous employment, without the consent of the individuals, they are in breach of the Data Protection Acts. This could be further exacerbated if they engage in electronic marketing to those individuals.