GDPR Requirement to give personal Information

darkan9el

Hi, I have a situation regarding GDPR and a customer service call.

I have a friend who had a slow broadband issue on BT, he is 85 and not very knowledgable on IT things so asked me to help him. I made the service call to BT (0800 800150) to request they look into why his line was so slow (0.21 down and 0.50 up) I know quite a bit about IT so had already done any preliminary tests and had moved the router to the main outlet, the issue still remained.

Anyway, as part of me making the call the customer service rep (csr) asked for my name, I gave her my first name, I expect this as part of courtesy so the csr can refer to me by name, then she asked for my surname, contact number and address, I refused, they cited GDPR as the lawful reason to request this info and if I did not give her this info she would terminate the call,, I told her all she needed was my first name and that I had their customer in front of me and that he had given me permission to act on his behalf, unfortunately they did not see is as a valid reason and insisted on me giving out my personal data else they would terminate the call. I told them their customer was in front of me and all they had to do was validate his ID (a simple process that I have been through countless times before) but they had become fixated on obtaining MY info not his, none of my personal information would have helped fix this issue and validating their customer should have been the primary goal so that he could then give them permission to deal with me. There is more to this phone call but I have outlined the main points.

My question: Under GDPR, was it Lawful for them to try and obtain my information and was I legally bound to give it or terminate the call?

It's very difficult to find information relating to this situation that's why I'm asking here and on other forums.

I consider this a very serious matter and a breach of my rights to protect my personal info, I make calls for people regularly and have never come across this and it actually scares me where all of this going.

I am fiercely protective of my information and what I find odd is how people become suspicious and defensive when I apply my right to privacy, I find it creepy.

neilmcl

darkan9el wrote: »

Hi, I have a situation regarding GDPR and a customer service call.

I have a friend who had a slow broadband issue on BT, he is 85 and not very knowledgable on IT things so asked me to help him. I made the service call to BT (0800 800150) to request they look into why his line was so slow (0.21 down and 0.50 up) I know quite a bit about IT so had already done any preliminary tests and had moved the router to the main outlet, the issue still remained.

Anyway, as part of me making the call the customer service rep (csr) asked for my name, I gave her my first name, I expect this as part of courtesy so the csr can refer to me by name, then she asked for my surname, contact number and address, I refused, they cited GDPR as the lawful reason to request this info and if I did not give her this info she would terminate the call,, I told her all she needed was my first name and that I had their customer in front of me and that he had given me permission to act on his behalf, unfortunately they did not see is as a valid reason and insisted on me giving out my personal data else they would terminate the call. I told them their customer was in front of me and all they had to do was validate his ID (a simple process that I have been through countless times before) but they had become fixated on obtaining MY info not his, none of my personal information would have helped fix this issue and validating their customer should have been the primary goal so that he could then give them permission to deal with me. There is more to this phone call but I have outlined the main points.

My question: Under GDPR, was it Lawful for them to try and obtain my information and was I legally bound to give it or terminate the call?

It's very difficult to find information relating to this situation that's why I'm asking here and on other forums.

I consider this a very serious matter and a breach of my rights to protect my personal info, I make calls for people regularly and have never come across this and it actually scares me where all of this going.

I am fiercely protective of my information and what I find odd is how people become suspicious and defensive when I apply my right to privacy, I find it creepy.

Well then you should see why they're being protective of your friend's information and requiring you to fully identify yourself to them before proceeding.

BoGoF

Way OTT reaction from you tbh.....'scary', 'creepy'......seriously?

As highlighted by neilmc, can you not see the double standards you are applying here.

shaun_from_Africa

darkan9el wrote: »

My question: Under GDPR, was it Lawful for them to try and obtain my information and was I legally bound to give it or terminate the call?

I would say yes.
Under the GDPR (as with the DPA), companies have a legal obligation to only share personal information with people and businesses that either have a legal right to that information or who have been given permission to access it by the person concerned and companies also have a legal obligation to hold detailed records on whom the information has been given to.

If your friend's data found its way into the hands of unauthorised people and a complaint was made to the ICO about BT, they would have to show that they took all precautions when handling and processing the personal data and a record simply stating that they discussed the info "with Dave" (or something similar) may well not be enough to keep the ICO happy.

giraffe69

Lying would have probably solved the molehill before it became a mountain.

davidwood681

I hope I never have to speak to you OP. You sound like trouble

darkan9el

I wouldn't want to lie but that would show the futility of asking such info.

I could understand a lot of your responses if the customer hadn't been sat in front of me and was wholly willing to give his permission for me to assist him in speaking to the customer service staff.

I required no data from them so no data would or could have been given to anyone, the only information I was given was both the initial customer service reps first name and also the first name of the manager, neither would supply their surname when the customer (not me) asked for them, now that has irony all over it and smacks of double standards.

The response was in their invasive and unnecessary request for my personal info up and above my first name for courtesy reasons.

I really don't get your hostility considering the customer was present and willing to give me permission to speak to them regarding nothing more than slow broadband, I'd already done most of the work for them, all they had to do was run a test on the line. requesting a line test does not require any information to be given to me about my friends account, even though I had most of those details in front of me but I did not request nor court any information from them, that ball was firmly in their court.

I think the workaround is to have the customer make the call relay any information from them to me and visa versa so that I can explain to them what was just said and what that means, else just put them on speakerphone so I can hear what they are saying and respond to my friend and the he repeat what I have said, as ludicrous as that scenario is.

Thanks for your opinions.

marliepanda

darkan9el wrote: »

I think the workaround is to have the customer make the call relay any information from them to me and visa versa so that I can explain to them what was just said and what that means, else just put them on speakerphone so I can hear what they are saying and respond to my friend and the he repeat what I have said, as ludicrous as that scenario is.

Thanks for your opinions.

It’s not ludicrous at all. The CSO is there to help the customer. If the customer then wants to relay that to a third party it’s the customers choice. Having ‘Dave’ call up saying ‘oh yeah Bill says it’s fine here ask him!’ Wouldn’t wash.

neilmcl

Regardless of whether the customer was there with you or not, the CS rep had no way of verifying this was the case, you two could've been anybody as far as they were concerned. Hence the requirement to fully identify yourself before being able to access the customer account. What's "ludicrous" is your failure to understand this.

NeilCr

I have to ring up organisations on clients behalf quite regularly. It's fine if the client goes through their "validation" process okay. Usually involves, amongst other things, account number, NI number, name and address, mobile phone number - and sometimes the "check" question mother's maiden name, first school, pet's name...

I volunteer for an organisation - maybe that helps - but my first name suffices.

As others have said you can't just say "this is me - it's okay to talk to him/her" and all organisations won't proceed if they haven't got the correct verification. It's amazing how many people don't know their base information and passwords!

darkan9el

They could have validated the customer was who he said he was in a few minutes and that I was authorised by him to help. I had all of his details to hand and was more than willing to pass the phone over to him. I mean even for a scripted CS that ain't hard to do.

The mistake I made was in being the first on the phone, he should have answered but the first call was a 15min wait only to be cut off, the second was approx 20mins, this is why I was initially on the phone, all they had to do was ask me to pass the phone over and they could quite easily have verified his identity and moved on to the issue at hand.