Salesman text me from his personal phoneAm I obliged to obtain quotes for my builder's insurance company?GDPR vs. Copyright for a recommendation letterUsing GDPR against cold-call marketing emailsGDPR - User invitation functionality within learning and development platformHow does GDPR affect a personal web application that uses third parties to authenticate?GDPR - is user social ID personal dataUse of trademark in personal email aliasHow does GDPR apply for normal email communication?False advertising to consumersGDPR Requirements for restricted use corporate webapp

How can I prevent hyper evolved versions of regular creatures from wiping out their cousins?

What's the point of deactivating Num Lock on login screens?

Where does SFDX store details about scratch orgs?

Why "Having chlorophyll without photosynthesis is actually very dangerous" and "like living with a bomb"?

Blender 2.8 I can't see vertices, edges or faces in edit mode

When a company launches a new product do they "come out" with a new product or do they "come up" with a new product?

Is it possible to create light that imparts a greater proportion of its energy as momentum rather than heat?

What is the most common color to indicate the input-field is disabled?

Assassin's bullet with mercury

What to put in ESTA if staying in US for a few days before going on to Canada

If human space travel is limited by the G force vulnerability, is there a way to counter G forces?

Has there ever been an airliner design involving reducing generator load by installing solar panels?

What is the word for reserving something for yourself before others do?

What is the intuition behind short exact sequences of groups; in particular, what is the intuition behind group extensions?

How to draw the figure with four pentagons?

What killed these X2 caps?

How do I write bicross product symbols in latex?

Why can't we play rap on piano?

In a Spin are Both Wings Stalled?

How to take photos in burst mode, without vibration?

I would say: "You are another teacher", but she is a woman and I am a man

AES: Why is it a good practice to use only the first 16bytes of a hash for encryption?

Is it possible to run Internet Explorer on OS X El Capitan?

In Romance of the Three Kingdoms why do people still use bamboo sticks when papers are already invented?



Salesman text me from his personal phone


Am I obliged to obtain quotes for my builder's insurance company?GDPR vs. Copyright for a recommendation letterUsing GDPR against cold-call marketing emailsGDPR - User invitation functionality within learning and development platformHow does GDPR affect a personal web application that uses third parties to authenticate?GDPR - is user social ID personal dataUse of trademark in personal email aliasHow does GDPR apply for normal email communication?False advertising to consumersGDPR Requirements for restricted use corporate webapp













3















I recently went to a garage to ask about different cars and offers, the salesman took some details; phone and email, when leaving I said to him I would be in touch if I wanted to proceed. He called me off the garage's phone and emailed me off their work email but I have been busy with work so missed the call and forgot to email back. I received a text from an unknown number asking if I still wanted the car, I replied asking who it was to which he replied: "it's X from Windsor's lol".



To say I'm furious he got my personal details from their system to text me off his personal phone is an understatement, I just want to know if this is a breach in GDPR or anything like that. Receiving calls and emails from the garage are fine because that is their work environment but when someone goes onto that system to get my information and use it this way is unacceptable to me.



I am looking to take this further and would just like to know my options here because who knows how many other people he has done this to, I have been in touch with his manager but got the feeling he thought X was doing an outstanding job by hounding me in his personal time.



EDIT: This question was purely to get some feedback and different points of view, I have/had no intention of suing the garage or pursuing that kind of legal action. I wanted to see which arguments I could raise when taking this up with the garage's head office, for me it is the principal of privacy and being a nuisance rather than any personal/legal damages. I feel some people may think that I am trying to make a claim, this is not the case so I just wanted to clear that up.










share|improve this question









New contributor




RyanK is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.















  • 9





    This must be the most modern-day-British thing I've read today.

    – Tobias Weiß
    2 days ago






  • 8





    So you are 100% certain that this salesman's cell phone is not provided to them and paid for by the dealership?

    – MonkeyZeus
    2 days ago






  • 6





    You gave them your number exactly so they could contact you. I'm confused how you think this could be a violation of GDPR.

    – Davor
    2 days ago






  • 2





    @RyanK That still does not prove that it was a 100% personal and non-business cell phone. I worked at a company where my employer covered 40% of my personal cell phone bill because I would be using it for both personal and business purposes. Him saying "sorry" just shows that they are sorry to have bothered you. Given the situation, you are only rightfully upset that they contacted you outside of business hours which is a legitimate complaint. You should add this detail to your question because unless you can prove that it was a 100% personal cell phone then all of this is just hot air.

    – MonkeyZeus
    2 days ago







  • 3





    @RyanK - you are looking at the wrong thing. It doesn't matter who owns the phone, all that matters is how data is being used. He didn't use our phone number to ask you to go have a beer, he contacted you purely for business reasons. This is completelly within reasonable use of data you consented to.

    – Davor
    2 days ago















3















I recently went to a garage to ask about different cars and offers, the salesman took some details; phone and email, when leaving I said to him I would be in touch if I wanted to proceed. He called me off the garage's phone and emailed me off their work email but I have been busy with work so missed the call and forgot to email back. I received a text from an unknown number asking if I still wanted the car, I replied asking who it was to which he replied: "it's X from Windsor's lol".



To say I'm furious he got my personal details from their system to text me off his personal phone is an understatement, I just want to know if this is a breach in GDPR or anything like that. Receiving calls and emails from the garage are fine because that is their work environment but when someone goes onto that system to get my information and use it this way is unacceptable to me.



I am looking to take this further and would just like to know my options here because who knows how many other people he has done this to, I have been in touch with his manager but got the feeling he thought X was doing an outstanding job by hounding me in his personal time.



EDIT: This question was purely to get some feedback and different points of view, I have/had no intention of suing the garage or pursuing that kind of legal action. I wanted to see which arguments I could raise when taking this up with the garage's head office, for me it is the principal of privacy and being a nuisance rather than any personal/legal damages. I feel some people may think that I am trying to make a claim, this is not the case so I just wanted to clear that up.










share|improve this question









New contributor




RyanK is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.















  • 9





    This must be the most modern-day-British thing I've read today.

    – Tobias Weiß
    2 days ago






  • 8





    So you are 100% certain that this salesman's cell phone is not provided to them and paid for by the dealership?

    – MonkeyZeus
    2 days ago






  • 6





    You gave them your number exactly so they could contact you. I'm confused how you think this could be a violation of GDPR.

    – Davor
    2 days ago






  • 2





    @RyanK That still does not prove that it was a 100% personal and non-business cell phone. I worked at a company where my employer covered 40% of my personal cell phone bill because I would be using it for both personal and business purposes. Him saying "sorry" just shows that they are sorry to have bothered you. Given the situation, you are only rightfully upset that they contacted you outside of business hours which is a legitimate complaint. You should add this detail to your question because unless you can prove that it was a 100% personal cell phone then all of this is just hot air.

    – MonkeyZeus
    2 days ago







  • 3





    @RyanK - you are looking at the wrong thing. It doesn't matter who owns the phone, all that matters is how data is being used. He didn't use our phone number to ask you to go have a beer, he contacted you purely for business reasons. This is completelly within reasonable use of data you consented to.

    – Davor
    2 days ago













3












3








3


1






I recently went to a garage to ask about different cars and offers, the salesman took some details; phone and email, when leaving I said to him I would be in touch if I wanted to proceed. He called me off the garage's phone and emailed me off their work email but I have been busy with work so missed the call and forgot to email back. I received a text from an unknown number asking if I still wanted the car, I replied asking who it was to which he replied: "it's X from Windsor's lol".



To say I'm furious he got my personal details from their system to text me off his personal phone is an understatement, I just want to know if this is a breach in GDPR or anything like that. Receiving calls and emails from the garage are fine because that is their work environment but when someone goes onto that system to get my information and use it this way is unacceptable to me.



I am looking to take this further and would just like to know my options here because who knows how many other people he has done this to, I have been in touch with his manager but got the feeling he thought X was doing an outstanding job by hounding me in his personal time.



EDIT: This question was purely to get some feedback and different points of view, I have/had no intention of suing the garage or pursuing that kind of legal action. I wanted to see which arguments I could raise when taking this up with the garage's head office, for me it is the principal of privacy and being a nuisance rather than any personal/legal damages. I feel some people may think that I am trying to make a claim, this is not the case so I just wanted to clear that up.










share|improve this question









New contributor




RyanK is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












I recently went to a garage to ask about different cars and offers, the salesman took some details; phone and email, when leaving I said to him I would be in touch if I wanted to proceed. He called me off the garage's phone and emailed me off their work email but I have been busy with work so missed the call and forgot to email back. I received a text from an unknown number asking if I still wanted the car, I replied asking who it was to which he replied: "it's X from Windsor's lol".



To say I'm furious he got my personal details from their system to text me off his personal phone is an understatement, I just want to know if this is a breach in GDPR or anything like that. Receiving calls and emails from the garage are fine because that is their work environment but when someone goes onto that system to get my information and use it this way is unacceptable to me.



I am looking to take this further and would just like to know my options here because who knows how many other people he has done this to, I have been in touch with his manager but got the feeling he thought X was doing an outstanding job by hounding me in his personal time.



EDIT: This question was purely to get some feedback and different points of view, I have/had no intention of suing the garage or pursuing that kind of legal action. I wanted to see which arguments I could raise when taking this up with the garage's head office, for me it is the principal of privacy and being a nuisance rather than any personal/legal damages. I feel some people may think that I am trying to make a claim, this is not the case so I just wanted to clear that up.







united-kingdom gdpr european-union






share|improve this question









New contributor




RyanK is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question









New contributor




RyanK is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question








edited yesterday







RyanK













New contributor




RyanK is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked 2 days ago









RyanKRyanK

2715




2715




New contributor




RyanK is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





RyanK is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






RyanK is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.







  • 9





    This must be the most modern-day-British thing I've read today.

    – Tobias Weiß
    2 days ago






  • 8





    So you are 100% certain that this salesman's cell phone is not provided to them and paid for by the dealership?

    – MonkeyZeus
    2 days ago






  • 6





    You gave them your number exactly so they could contact you. I'm confused how you think this could be a violation of GDPR.

    – Davor
    2 days ago






  • 2





    @RyanK That still does not prove that it was a 100% personal and non-business cell phone. I worked at a company where my employer covered 40% of my personal cell phone bill because I would be using it for both personal and business purposes. Him saying "sorry" just shows that they are sorry to have bothered you. Given the situation, you are only rightfully upset that they contacted you outside of business hours which is a legitimate complaint. You should add this detail to your question because unless you can prove that it was a 100% personal cell phone then all of this is just hot air.

    – MonkeyZeus
    2 days ago







  • 3





    @RyanK - you are looking at the wrong thing. It doesn't matter who owns the phone, all that matters is how data is being used. He didn't use our phone number to ask you to go have a beer, he contacted you purely for business reasons. This is completelly within reasonable use of data you consented to.

    – Davor
    2 days ago












  • 9





    This must be the most modern-day-British thing I've read today.

    – Tobias Weiß
    2 days ago






  • 8





    So you are 100% certain that this salesman's cell phone is not provided to them and paid for by the dealership?

    – MonkeyZeus
    2 days ago






  • 6





    You gave them your number exactly so they could contact you. I'm confused how you think this could be a violation of GDPR.

    – Davor
    2 days ago






  • 2





    @RyanK That still does not prove that it was a 100% personal and non-business cell phone. I worked at a company where my employer covered 40% of my personal cell phone bill because I would be using it for both personal and business purposes. Him saying "sorry" just shows that they are sorry to have bothered you. Given the situation, you are only rightfully upset that they contacted you outside of business hours which is a legitimate complaint. You should add this detail to your question because unless you can prove that it was a 100% personal cell phone then all of this is just hot air.

    – MonkeyZeus
    2 days ago







  • 3





    @RyanK - you are looking at the wrong thing. It doesn't matter who owns the phone, all that matters is how data is being used. He didn't use our phone number to ask you to go have a beer, he contacted you purely for business reasons. This is completelly within reasonable use of data you consented to.

    – Davor
    2 days ago







9




9





This must be the most modern-day-British thing I've read today.

– Tobias Weiß
2 days ago





This must be the most modern-day-British thing I've read today.

– Tobias Weiß
2 days ago




8




8





So you are 100% certain that this salesman's cell phone is not provided to them and paid for by the dealership?

– MonkeyZeus
2 days ago





So you are 100% certain that this salesman's cell phone is not provided to them and paid for by the dealership?

– MonkeyZeus
2 days ago




6




6





You gave them your number exactly so they could contact you. I'm confused how you think this could be a violation of GDPR.

– Davor
2 days ago





You gave them your number exactly so they could contact you. I'm confused how you think this could be a violation of GDPR.

– Davor
2 days ago




2




2





@RyanK That still does not prove that it was a 100% personal and non-business cell phone. I worked at a company where my employer covered 40% of my personal cell phone bill because I would be using it for both personal and business purposes. Him saying "sorry" just shows that they are sorry to have bothered you. Given the situation, you are only rightfully upset that they contacted you outside of business hours which is a legitimate complaint. You should add this detail to your question because unless you can prove that it was a 100% personal cell phone then all of this is just hot air.

– MonkeyZeus
2 days ago






@RyanK That still does not prove that it was a 100% personal and non-business cell phone. I worked at a company where my employer covered 40% of my personal cell phone bill because I would be using it for both personal and business purposes. Him saying "sorry" just shows that they are sorry to have bothered you. Given the situation, you are only rightfully upset that they contacted you outside of business hours which is a legitimate complaint. You should add this detail to your question because unless you can prove that it was a 100% personal cell phone then all of this is just hot air.

– MonkeyZeus
2 days ago





3




3





@RyanK - you are looking at the wrong thing. It doesn't matter who owns the phone, all that matters is how data is being used. He didn't use our phone number to ask you to go have a beer, he contacted you purely for business reasons. This is completelly within reasonable use of data you consented to.

– Davor
2 days ago





@RyanK - you are looking at the wrong thing. It doesn't matter who owns the phone, all that matters is how data is being used. He didn't use our phone number to ask you to go have a beer, he contacted you purely for business reasons. This is completelly within reasonable use of data you consented to.

– Davor
2 days ago










1 Answer
1






active

oldest

votes


















12














This is possibly but not necessarily fine.



The data controller (the garage) is responsible for safeguarding your personal data. They must take appropriate safety measures, but this depends a lot on their own risk assessment. For example, to protect the data from being used by employees for their personal purposes, the controller might use organizational measures like a policy “you're not allowed to do that.”



Many companies allow employees to use their personal devices for work purposes (BYOD). When the data controller allows this and takes appropriate safety measures, everything is perfectly fine. The company still has to make sure that the data is only processed for legal purses and deleted afterwards.



Implementing a BYOD policy in a GDPR compliant manner is difficult but not impossible.



A data breach has occurred when the security measures were insufficient and your data was deleted or disclosed without authorization. Your scenario would only be a breach if the company did not have a BYOD policy and the salesman used their personal phone, and arguably then only if that device is also breached. However, do not discount the alternatives:



  • they do have a BYOD policy and the salesman is acting within their instructions

  • the salesman was using a company-controlled device, not their personal phone

If you have good reason to believe that your data was mishandled (and these alternatives do not apply), then the GDPR offers you the following remedies:



  • You can of course complain to the data controller, especially if they have a dedicated data protection officer.

  • You can lodge a complaint with a supervision authority, which is the ICO in the UK. They expect you to attempt to resolve your issue with the controller first. The ICO can then decide if they want to investigate the issue.

  • You can sue them for compliance and for actual damages suffered (you have none, though).

Note that all of these alternatives are more effort than they are likely worth. In particular, the garage can always correct the problem, e.g. by getting your contact info deleted from the personal device or by creating a retroactive BYOD policy.






share|improve this answer























  • Thanks for the detailed response, I think it will be a case of just taking it higher up the chain, I'm not looking for damages or anything just an acknowledgement from them that I never gave permission for him to contact me in this way.

    – RyanK
    2 days ago







  • 13





    Make sure you read all the small print of any data authorization you agreed to, before you say "you never gave permission"! In fact you don't know that is WAS his personal phone - it might have been a company-issued phone for work use only.

    – alephzero
    2 days ago






  • 4





    @RyanK Your permission/consent may not have been required for them to contact you via texts (might be allowed as their legitimate interest). This answer only discusses whether the sales person would have been allowed to communicate with you over a personal device.

    – amon
    2 days ago











Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "617"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);






RyanK is a new contributor. Be nice, and check out our Code of Conduct.









draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2flaw.stackexchange.com%2fquestions%2f38695%2fsalesman-text-me-from-his-personal-phone%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









12














This is possibly but not necessarily fine.



The data controller (the garage) is responsible for safeguarding your personal data. They must take appropriate safety measures, but this depends a lot on their own risk assessment. For example, to protect the data from being used by employees for their personal purposes, the controller might use organizational measures like a policy “you're not allowed to do that.”



Many companies allow employees to use their personal devices for work purposes (BYOD). When the data controller allows this and takes appropriate safety measures, everything is perfectly fine. The company still has to make sure that the data is only processed for legal purses and deleted afterwards.



Implementing a BYOD policy in a GDPR compliant manner is difficult but not impossible.



A data breach has occurred when the security measures were insufficient and your data was deleted or disclosed without authorization. Your scenario would only be a breach if the company did not have a BYOD policy and the salesman used their personal phone, and arguably then only if that device is also breached. However, do not discount the alternatives:



  • they do have a BYOD policy and the salesman is acting within their instructions

  • the salesman was using a company-controlled device, not their personal phone

If you have good reason to believe that your data was mishandled (and these alternatives do not apply), then the GDPR offers you the following remedies:



  • You can of course complain to the data controller, especially if they have a dedicated data protection officer.

  • You can lodge a complaint with a supervision authority, which is the ICO in the UK. They expect you to attempt to resolve your issue with the controller first. The ICO can then decide if they want to investigate the issue.

  • You can sue them for compliance and for actual damages suffered (you have none, though).

Note that all of these alternatives are more effort than they are likely worth. In particular, the garage can always correct the problem, e.g. by getting your contact info deleted from the personal device or by creating a retroactive BYOD policy.






share|improve this answer























  • Thanks for the detailed response, I think it will be a case of just taking it higher up the chain, I'm not looking for damages or anything just an acknowledgement from them that I never gave permission for him to contact me in this way.

    – RyanK
    2 days ago







  • 13





    Make sure you read all the small print of any data authorization you agreed to, before you say "you never gave permission"! In fact you don't know that is WAS his personal phone - it might have been a company-issued phone for work use only.

    – alephzero
    2 days ago






  • 4





    @RyanK Your permission/consent may not have been required for them to contact you via texts (might be allowed as their legitimate interest). This answer only discusses whether the sales person would have been allowed to communicate with you over a personal device.

    – amon
    2 days ago















12














This is possibly but not necessarily fine.



The data controller (the garage) is responsible for safeguarding your personal data. They must take appropriate safety measures, but this depends a lot on their own risk assessment. For example, to protect the data from being used by employees for their personal purposes, the controller might use organizational measures like a policy “you're not allowed to do that.”



Many companies allow employees to use their personal devices for work purposes (BYOD). When the data controller allows this and takes appropriate safety measures, everything is perfectly fine. The company still has to make sure that the data is only processed for legal purses and deleted afterwards.



Implementing a BYOD policy in a GDPR compliant manner is difficult but not impossible.



A data breach has occurred when the security measures were insufficient and your data was deleted or disclosed without authorization. Your scenario would only be a breach if the company did not have a BYOD policy and the salesman used their personal phone, and arguably then only if that device is also breached. However, do not discount the alternatives:



  • they do have a BYOD policy and the salesman is acting within their instructions

  • the salesman was using a company-controlled device, not their personal phone

If you have good reason to believe that your data was mishandled (and these alternatives do not apply), then the GDPR offers you the following remedies:



  • You can of course complain to the data controller, especially if they have a dedicated data protection officer.

  • You can lodge a complaint with a supervision authority, which is the ICO in the UK. They expect you to attempt to resolve your issue with the controller first. The ICO can then decide if they want to investigate the issue.

  • You can sue them for compliance and for actual damages suffered (you have none, though).

Note that all of these alternatives are more effort than they are likely worth. In particular, the garage can always correct the problem, e.g. by getting your contact info deleted from the personal device or by creating a retroactive BYOD policy.






share|improve this answer























  • Thanks for the detailed response, I think it will be a case of just taking it higher up the chain, I'm not looking for damages or anything just an acknowledgement from them that I never gave permission for him to contact me in this way.

    – RyanK
    2 days ago







  • 13





    Make sure you read all the small print of any data authorization you agreed to, before you say "you never gave permission"! In fact you don't know that is WAS his personal phone - it might have been a company-issued phone for work use only.

    – alephzero
    2 days ago






  • 4





    @RyanK Your permission/consent may not have been required for them to contact you via texts (might be allowed as their legitimate interest). This answer only discusses whether the sales person would have been allowed to communicate with you over a personal device.

    – amon
    2 days ago













12












12








12







This is possibly but not necessarily fine.



The data controller (the garage) is responsible for safeguarding your personal data. They must take appropriate safety measures, but this depends a lot on their own risk assessment. For example, to protect the data from being used by employees for their personal purposes, the controller might use organizational measures like a policy “you're not allowed to do that.”



Many companies allow employees to use their personal devices for work purposes (BYOD). When the data controller allows this and takes appropriate safety measures, everything is perfectly fine. The company still has to make sure that the data is only processed for legal purses and deleted afterwards.



Implementing a BYOD policy in a GDPR compliant manner is difficult but not impossible.



A data breach has occurred when the security measures were insufficient and your data was deleted or disclosed without authorization. Your scenario would only be a breach if the company did not have a BYOD policy and the salesman used their personal phone, and arguably then only if that device is also breached. However, do not discount the alternatives:



  • they do have a BYOD policy and the salesman is acting within their instructions

  • the salesman was using a company-controlled device, not their personal phone

If you have good reason to believe that your data was mishandled (and these alternatives do not apply), then the GDPR offers you the following remedies:



  • You can of course complain to the data controller, especially if they have a dedicated data protection officer.

  • You can lodge a complaint with a supervision authority, which is the ICO in the UK. They expect you to attempt to resolve your issue with the controller first. The ICO can then decide if they want to investigate the issue.

  • You can sue them for compliance and for actual damages suffered (you have none, though).

Note that all of these alternatives are more effort than they are likely worth. In particular, the garage can always correct the problem, e.g. by getting your contact info deleted from the personal device or by creating a retroactive BYOD policy.






share|improve this answer













This is possibly but not necessarily fine.



The data controller (the garage) is responsible for safeguarding your personal data. They must take appropriate safety measures, but this depends a lot on their own risk assessment. For example, to protect the data from being used by employees for their personal purposes, the controller might use organizational measures like a policy “you're not allowed to do that.”



Many companies allow employees to use their personal devices for work purposes (BYOD). When the data controller allows this and takes appropriate safety measures, everything is perfectly fine. The company still has to make sure that the data is only processed for legal purses and deleted afterwards.



Implementing a BYOD policy in a GDPR compliant manner is difficult but not impossible.



A data breach has occurred when the security measures were insufficient and your data was deleted or disclosed without authorization. Your scenario would only be a breach if the company did not have a BYOD policy and the salesman used their personal phone, and arguably then only if that device is also breached. However, do not discount the alternatives:



  • they do have a BYOD policy and the salesman is acting within their instructions

  • the salesman was using a company-controlled device, not their personal phone

If you have good reason to believe that your data was mishandled (and these alternatives do not apply), then the GDPR offers you the following remedies:



  • You can of course complain to the data controller, especially if they have a dedicated data protection officer.

  • You can lodge a complaint with a supervision authority, which is the ICO in the UK. They expect you to attempt to resolve your issue with the controller first. The ICO can then decide if they want to investigate the issue.

  • You can sue them for compliance and for actual damages suffered (you have none, though).

Note that all of these alternatives are more effort than they are likely worth. In particular, the garage can always correct the problem, e.g. by getting your contact info deleted from the personal device or by creating a retroactive BYOD policy.







share|improve this answer












share|improve this answer



share|improve this answer










answered 2 days ago









amonamon

71915




71915












  • Thanks for the detailed response, I think it will be a case of just taking it higher up the chain, I'm not looking for damages or anything just an acknowledgement from them that I never gave permission for him to contact me in this way.

    – RyanK
    2 days ago







  • 13





    Make sure you read all the small print of any data authorization you agreed to, before you say "you never gave permission"! In fact you don't know that is WAS his personal phone - it might have been a company-issued phone for work use only.

    – alephzero
    2 days ago






  • 4





    @RyanK Your permission/consent may not have been required for them to contact you via texts (might be allowed as their legitimate interest). This answer only discusses whether the sales person would have been allowed to communicate with you over a personal device.

    – amon
    2 days ago

















  • Thanks for the detailed response, I think it will be a case of just taking it higher up the chain, I'm not looking for damages or anything just an acknowledgement from them that I never gave permission for him to contact me in this way.

    – RyanK
    2 days ago







  • 13





    Make sure you read all the small print of any data authorization you agreed to, before you say "you never gave permission"! In fact you don't know that is WAS his personal phone - it might have been a company-issued phone for work use only.

    – alephzero
    2 days ago






  • 4





    @RyanK Your permission/consent may not have been required for them to contact you via texts (might be allowed as their legitimate interest). This answer only discusses whether the sales person would have been allowed to communicate with you over a personal device.

    – amon
    2 days ago
















Thanks for the detailed response, I think it will be a case of just taking it higher up the chain, I'm not looking for damages or anything just an acknowledgement from them that I never gave permission for him to contact me in this way.

– RyanK
2 days ago






Thanks for the detailed response, I think it will be a case of just taking it higher up the chain, I'm not looking for damages or anything just an acknowledgement from them that I never gave permission for him to contact me in this way.

– RyanK
2 days ago





13




13





Make sure you read all the small print of any data authorization you agreed to, before you say "you never gave permission"! In fact you don't know that is WAS his personal phone - it might have been a company-issued phone for work use only.

– alephzero
2 days ago





Make sure you read all the small print of any data authorization you agreed to, before you say "you never gave permission"! In fact you don't know that is WAS his personal phone - it might have been a company-issued phone for work use only.

– alephzero
2 days ago




4




4





@RyanK Your permission/consent may not have been required for them to contact you via texts (might be allowed as their legitimate interest). This answer only discusses whether the sales person would have been allowed to communicate with you over a personal device.

– amon
2 days ago





@RyanK Your permission/consent may not have been required for them to contact you via texts (might be allowed as their legitimate interest). This answer only discusses whether the sales person would have been allowed to communicate with you over a personal device.

– amon
2 days ago










RyanK is a new contributor. Be nice, and check out our Code of Conduct.









draft saved

draft discarded


















RyanK is a new contributor. Be nice, and check out our Code of Conduct.












RyanK is a new contributor. Be nice, and check out our Code of Conduct.











RyanK is a new contributor. Be nice, and check out our Code of Conduct.














Thanks for contributing an answer to Law Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2flaw.stackexchange.com%2fquestions%2f38695%2fsalesman-text-me-from-his-personal-phone%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

getting Checkpoint VPN SSL Network Extender working in the command lineHow to connect to CheckPoint VPN on Ubuntu 18.04LTS?Will the Linux ( red-hat ) Open VPNC Client connect to checkpoint or nortel VPN gateways?VPN client for linux machine + support checkpoint gatewayVPN SSL Network Extender in FirefoxLinux Checkpoint SNX tool configuration issuesCheck Point - Connect under Linux - snx + OTPSNX VPN Ububuntu 18.XXUsing Checkpoint VPN SSL Network Extender CLI with certificateVPN with network manager (nm-applet) is not workingWill the Linux ( red-hat ) Open VPNC Client connect to checkpoint or nortel VPN gateways?VPN client for linux machine + support checkpoint gatewayImport VPN config files to NetworkManager from command lineTrouble connecting to VPN using network-manager, while command line worksStart a VPN connection with PPTP protocol on command linestarting a docker service daemon breaks the vpn networkCan't connect to vpn with Network-managerVPN SSL Network Extender in FirefoxUsing Checkpoint VPN SSL Network Extender CLI with certificate

Cannot Extend partition with GParted The 2019 Stack Overflow Developer Survey Results Are In Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) 2019 Community Moderator Election ResultsCan't increase partition size with GParted?GParted doesn't recognize the unallocated space after my current partitionWhat is the best way to add unallocated space located before to Ubuntu 12.04 partition with GParted live?I can't figure out how to extend my Arch home partition into free spaceGparted Linux Mint 18.1 issueTrying to extend but swap partition is showing as Unknown in Gparted, shows proper from fdiskRearrange partitions in gparted to extend a partitionUnable to extend partition even though unallocated space is next to it using GPartedAllocate free space to root partitiongparted: how to merge unallocated space with a partition

Marilyn Monroe Ny fiainany manokana | Jereo koa | Meny fitetezanafanitarana azy.