Crowne Plaza Hotel and GDPR

la531983

OK, so where has the breach occurred?  

Coopy666

la531983 said:

OK, so where has the breach occurred?  

‘Used data in unlawful basis’?
‘Recklessly or intentionally processing personal data’?

Golden rule in GDPR=  ‘necessary, proportionate, relevant, accurate, timely and secure’ not sure the Crowne Plaza have stuck to any of these?

sheslookinhot

Coopy666 said:

la531983 said:

OK, so where has the breach occurred?  

‘Used data in unlawful basis’?
‘Recklessly or intentionally processing personal data’?

Golden rule in GDPR=  ‘necessary, proportionate, relevant, accurate, timely and secure’ not sure the Crowne Plaza have stuck to any of these?

Ok, so you should instruct a lawyer to open proceedings against the Crowne Plaza, rather than argue the toss on here.

Coopy666

TheSpectator said:

Coopy666 said:

Penguin_ said:

I'm going to go for the person used a card machine to make the refund but didn't press the refund button, so it went through as a sale, then they (or some one else) compounded this by trying to refund but again put it through as a sale - so the 2 lots of money left your account instantly, but it wouldn't be deposited into the Crown Plaza's account immediately, it may take up to 3 days.

With that in mind, when they do a refund via the card machine the money would leave the Crown Plaza's account right away but wouldn't actually reach your account for up to 3 days.

But the refund was 6 weeks ago, why would they have the right to take £680 out of our account one morning when we haven’t booked anything? Why do they still have our card details?

Think you need to do some research as to what a GDPR breach is. Certainly not your situation.

Personal date breach ‘telephone numbers, credit card numbers, account data’ a case for the ICO?

powerful_Rogue

If you feel there has been a breach, then just report it to the ICO.

Depends what you're hoping to achieve, as the ICO does not award compensation.

A_Geordie

Coopy666 said:

• Personal data
  Any information that can be used to identify an individual, such as names, email addresses, location data, and more 
• Data processing
  Any action performed on personal data, such as collecting, recording, storing, using, and erasing 
• Data subject
  The person whose data is being processed 

Data controller

The person or organization that decides how and why personal data is processed 

Data processor

A third party that processes personal data on behalf of the data controller 

Principles

The GDPR's principles include lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability 

The GDPR defines "processing" as any operation performed on personal data, whether automated or manual. It also defines "restriction of processing" as the act of marking stored personal data to limit its future processing. 

What are the 7 principles of GDPR?

Lawfulness, fairness, and transparency; ▪ Purpose limitation; ▪ Data minimisation; ▪ Accuracy; ▪ Storage limitation; ▪ Integrity and confidentiality; and ▪ Accountability.

Not to be pendatic, but that doesn't answer The Spectator's point. The correct answer would be:

‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

@la531983 any alleged breach is likely to lie within: 

Principle 1 (the lawfulness of the processing). If Crowne Plaza has already issued a refund using the card details given, what lawful right do they have to use the card details and charge that card if no booking or other transaction has been made between the OP and Crowne Plaza?

Principle 2 (purpose limitation). The card details were used for a specific purpose which was to process a refund and nothing more. So it begs the question, what purpose did they have in using those card details to charge two lots of £340? 

It is for Crowne Plaza to demonstrate compliance with these principles (accountability principle). 

OP is unlikely to have any argument as to why the card details were still stored after a period of time because this can be passed off as many reasons such as regulatory financial obligations, audit purposes, preparation for filing of accounts with companies house etc. 

Is it a GDPR breach? Technically, yes. Does the OP have any right to compensation? That depends. Claims for GDPR breaches that are determined to be 'de minimis' (meaning the damage caused is too trivial to even bother with it) will be dismissed. I don't think a court would find a company wrongly charging a customer's account twice to be considered a trivial matter. An accidential email to the wrong person with limited personal data and is immediately rectified is an example that could be considered de minimis.

Even if the OP passes the de minimis threshold, the OP needs to show the breach caused some damage. Distress is the obvious one but it could potentially extend beyond that such as inconvenience or other financial damage. Compensation for GDPR breaches are difficult to scope out but I don't think in this instance the OP would be entitled to substantial damages, maybe low to mid 3 figures at best based on the information given by the OP if the court was minded to award compensation. 

pinkshoes

@Coopy666 - Seriously, don't bother with the ICO. They're only interested in mass breaches and couldn't care less about individual cases.

The ICO ruled in my favour when a company used my email address from their database for malicious purposes (I left a sports club after it became apparent the whole thing was money focused and very inexperienced coaches - one of the coaches who I caught out lying on several occasions then decided to be very petty!) but all that happened was the company got told to train their staff better. That was it. Really not worth the effort.

Your case isn't really a GDPR breach, as you provided them with means to pay. It's just some muppet seemed to think the money had to be debited rather than credited. If the £680 had caused you to go over-drawn and incurred fines from the bank, then by all means they should be compensating you to cover your out of pocket expenses. 

born_again

Coopy666 said:

Penguin_ said:

I'm going to go for the person used a card machine to make the refund but didn't press the refund button, so it went through as a sale, then they (or some one else) compounded this by trying to refund but again put it through as a sale - so the 2 lots of money left your account instantly, but it wouldn't be deposited into the Crown Plaza's account immediately, it may take up to 3 days.

With that in mind, when they do a refund via the card machine the money would leave the Crown Plaza's account right away but wouldn't actually reach your account for up to 3 days.

But the refund was 6 weeks ago, why would they have the right to take £680 out of our account one morning when we haven’t booked anything? Why do they still have our card details?

They keep payment details for tax purposes. There is no data breach.

I think the issue here could be that someone in finance/audit team has seen a refund on a card that was never been debited & re debited the card to correct.

Why could they not refund the old card? As even if it was replaced due to being expired or replaced as lost. A refund would go to the old card as refunds are not authorised & bank would just transfer it to the account.

A_Geordie

pinkshoes said:

Your case isn't really a GDPR breach, as you provided them with means to pay. It's just some muppet seemed to think the money had to be debited rather than credited. If the £680 had caused you to go over-drawn and incurred fines from the bank, then by all means they should be compensating you to cover your out of pocket expenses. 

Out of curiosity, let's say the OP did incur overdraft charges or there were other charges because the money taken by Crowne Plaza was supposed to be used for other bills, what would be the OP's legal cause of action if Crowne Plaza refused to pay these losses and the OP was required to issue legal proceedings?

It can't be in negligence because pure economic losses are not recoverable without physical damage occurring, except for a couple of very exceptional circumstances that don't apply here. And it can't be based on a contractual relationship because the previous contract was settled when the OP got refunded.

So, what action other than a GDPR breach do you think the OP be able to rely on in order to successfully sue Crowne Plaza? If there is no legally recognised cause of action then the OP doesn't have a claim for those losses inucrred.

Okell

born_again said:

Coopy666 said:

Penguin_ said:

I'm going to go for the person used a card machine to make the refund but didn't press the refund button, so it went through as a sale, then they (or some one else) compounded this by trying to refund but again put it through as a sale - so the 2 lots of money left your account instantly, but it wouldn't be deposited into the Crown Plaza's account immediately, it may take up to 3 days.

With that in mind, when they do a refund via the card machine the money would leave the Crown Plaza's account right away but wouldn't actually reach your account for up to 3 days.

But the refund was 6 weeks ago, why would they have the right to take £680 out of our account one morning when we haven’t booked anything? Why do they still have our card details?

... Why could they not refund the old card? As even if it was replaced due to being expired or replaced as lost. A refund would go to the old card as refunds are not authorised & bank would just transfer it to the account.

I couldn't understand this either.

I wonder in these sort of cases whether the consumer assumes that because the old card has expired (or been cancelled) that refunds can't be credited to it and so create unnecessary complications by trying to get refunds credited to the new card rather than to the original one.

born_again said:

Coopy666 said:

Penguin_ said:

I'm going to go for the person used a card machine to make the refund but didn't press the refund button, so it went through as a sale, then they (or some one else) compounded this by trying to refund but again put it through as a sale - so the 2 lots of money left your account instantly, but it wouldn't be deposited into the Crown Plaza's account immediately, it may take up to 3 days.

With that in mind, when they do a refund via the card machine the money would leave the Crown Plaza's account right away but wouldn't actually reach your account for up to 3 days.

But the refund was 6 weeks ago, why would they have the right to take £680 out of our account one morning when we haven’t booked anything? Why do they still have our card details?

... I think the issue here could be that someone in finance/audit team has seen a refund on a card that was never been debited & re debited the card to correct...

I suspect that is what has happened as well.  Unnecessary confusion because the OP supplied card details different from the original.