Crowne Plaza Hotel and GDPR

prowla

I don't see a GDPR issue here; it appears to be an operational error and not mishandling of data.

user1977

prowla said:

I don't see a GDPR issue here; it appears to be an operational error and not mishandling of data.

Indeed, if you followed that logic then even if you paid in person and they keyed in the wrong price it would also be a GDPR error for misusing your card data, rather than merely a c0ck-up.

A_Geordie

user1977 said:

prowla said:

I don't see a GDPR issue here; it appears to be an operational error and not mishandling of data.

Indeed, if you followed that logic then even if you paid in person and they keyed in the wrong price it would also be a GDPR error for misusing your card data, rather than merely a c0ck-up.

So if we assume this is a c0ck-up rather than a GDPR breach, when do you think it becomes a GDPR breach? Companies and the Government have been sued for such c0ck-ups by sending emails to thousands of people containing their personal information - the person who caused that will say it is a c0ck-up and a operational/administrative error and yet it is acknowledged that it's a GDPR breach - yet somehow you both arrive at a different conclusion.

The GDPR doesn't differentiate between the level of the breach and how many people it affects in order to determine if it is a breach of not. The definition of a breach also includes accidental breaches, which includes c0ck-ups or operational errors as suggested here.

eskbanker

A_Geordie said:
Companies and the Government have been sued for such c0ck-ups by sending emails to thousands of people containing their personal information

Have they?  I'm conscious that the ICO have levied fines on numerous occasions (for egregious breaches), but are you referring to something else?

A_Geordie

eskbanker said:

A_Geordie said:
Companies and the Government have been sued for such c0ck-ups by sending emails to thousands of people containing their personal information

Have they?  I'm conscious that the ICO have levied fines on numerous occasions (for egregious breaches), but are you referring to something else?

I'm referring to individuals suing for compensation rather than the ICO levying fines, some of them are well publicised and others are not or at all. The MOD data breach exposing personal information by email about the interpreters used in Afghanistan and the Welsh Government for sending an email(s) about certain individuals to the wrong individuals are such examples that I am aware that they have been sued by those affected individuals. 

Ergates

A_Geordie said:

user1977 said:

prowla said:

I don't see a GDPR issue here; it appears to be an operational error and not mishandling of data.

Indeed, if you followed that logic then even if you paid in person and they keyed in the wrong price it would also be a GDPR error for misusing your card data, rather than merely a c0ck-up.

So if we assume this is a c0ck-up rather than a GDPR breach, when do you think it becomes a GDPR breach? Companies and the Government have been sued for such c0ck-ups by sending emails to thousands of people containing their personal information - the person who caused that will say it is a c0ck-up and a operational/administrative error and yet it is acknowledged that it's a GDPR breach - yet somehow you both arrive at a different conclusion.

The GDPR doesn't differentiate between the level of the breach and how many people it affects in order to determine if it is a breach of not. The definition of a breach also includes accidental breaches, which includes c0ck-ups or operational errors as suggested here.

Just an FYI (because you're a helpful person here and I wouldn't want you to get into trouble).  Deliberate misspelling of "naughty" words to circumvent the profanity filter is explicitly banned in the forums rules.

Just say !!!!!! up and let it get starred out...

prowla

A_Geordie said:

user1977 said:

prowla said:

I don't see a GDPR issue here; it appears to be an operational error and not mishandling of data.

Indeed, if you followed that logic then even if you paid in person and they keyed in the wrong price it would also be a GDPR error for misusing your card data, rather than merely a c0ck-up.

So if we assume this is a c0ck-up rather than a GDPR breach, when do you think it becomes a GDPR breach? Companies and the Government have been sued for such c0ck-ups by sending emails to thousands of people containing their personal information - the person who caused that will say it is a c0ck-up and a operational/administrative error and yet it is acknowledged that it's a GDPR breach - yet somehow you both arrive at a different conclusion.

The GDPR doesn't differentiate between the level of the breach and how many people it affects in order to determine if it is a breach of not. The definition of a breach also includes accidental breaches, which includes c0ck-ups or operational errors as suggested here.

So where did the OP's personal data get shared with 3rd parties?

It's a bit of a stretch to try and equate those scenarios.

A_Geordie

Just to be clear, personal data doesn't need to be shared to be considered a breach and as I pointed out in an earlier post, the unlawful or accidental processing within Crowne Plaza is sufficient to constitute a data breach. The definition of 'processing' under the GDPR is very broad but for this topic, its safe to say that processing card information will fall within the scope of processing of personal data.

Crowne Plaza as the merchant, will submit the OP's card details to its bank, who is the acquirer, who will then process that payment information via a card scheme that manufactured the card such as Mastercard or Visa and then to the card issuer which will be the the OP's bank, and then finally confirm the payment back to Crowne Plaza. So to your question, even though it isn't relevant to the OP's issue, there is clearly the processing and sharing of the OP's personal data with third parties as this is pretty much how every type of payment processing works.

There is no stretch between the two scenarios - a single email sent to the wrong person would be deemed a data breach if there is no legal basis to send that email to the wrong person, since there must be at least one of the legal bases applying each time you are processing someone's personal data (unless an exemption applies). Using someone's personal data to send them marketing information when they have opted out (even if it is just one) will also be considered a data breach. However, not every data breach will result in 'damage' being inflicted on the affected individual or create a sense of distress or anxiety or whatever, and therefore there is no automatic compensation for a mere data breach. So each issue will be fact specific.

prowla

A_Geordie said:

Just to be clear, personal data doesn't need to be shared to be considered a breach and as I pointed out in an earlier post, the unlawful or accidental processing within Crowne Plaza is sufficient to constitute a data breach. The definition of 'processing' under the GDPR is very broad but for this topic, its safe to say that processing card information will fall within the scope of processing of personal data.

Crowne Plaza as the merchant, will submit the OP's card details to its bank, who is the acquirer, who will then process that payment information via a card scheme that manufactured the card such as Mastercard or Visa and then to the card issuer which will be the the OP's bank, and then finally confirm the payment back to Crowne Plaza. So to your question, even though it isn't relevant to the OP's issue, there is clearly the processing and sharing of the OP's personal data with third parties as this is pretty much how every type of payment processing works.

There is no stretch between the two scenarios - a single email sent to the wrong person would be deemed a data breach if there is no legal basis to send that email to the wrong person, since there must be at least one of the legal bases applying each time you are processing someone's personal data (unless an exemption applies). Using someone's personal data to send them marketing information when they have opted out (even if it is just one) will also be considered a data breach. However, not every data breach will result in 'damage' being inflicted on the affected individual or create a sense of distress or anxiety or whatever, and therefore there is no automatic compensation for a mere data breach. So each issue will be fact specific.

Whataboutery is a great thing.

The OP gave the hotel permission to use their debit card data, so there is no breach there.

However, the amount was incorrect (in fact a debit was made instead of a credit).

The OP contacted the hotel and requested a repayment, which implicitly gave permission to use the credit card details again, and the mistake was put right.

All of the data was (as far as we know) bounded by the context of those two transactions, which are clearly covered by appropriate use.

So where is the precise GDPR transgression in the context of this thread?

PHK

A_Geordie said:

Just to be clear, personal data doesn't need to be shared to be considered a breach and as I pointed out in an earlier post, the unlawful or accidental processing within Crowne Plaza is sufficient to constitute a data breach. The definition of 'processing' under the GDPR is very broad but for this topic, its safe to say that processing card information will fall within the scope of processing of personal data.

Crowne Plaza as the merchant, will submit the OP's card details to its bank, who is the acquirer, who will then process that payment information via a card scheme that manufactured the card such as Mastercard or Visa and then to the card issuer which will be the the OP's bank, and then finally confirm the payment back to Crowne Plaza. So to your question, even though it isn't relevant to the OP's issue, there is clearly the processing and sharing of the OP's personal data with third parties as this is pretty much how every type of payment processing works.

There is no stretch between the two scenarios - a single email sent to the wrong person would be deemed a data breach if there is no legal basis to send that email to the wrong person, since there must be at least one of the legal bases applying each time you are processing someone's personal data (unless an exemption applies). Using someone's personal data to send them marketing information when they have opted out (even if it is just one) will also be considered a data breach. However, not every data breach will result in 'damage' being inflicted on the affected individual or create a sense of distress or anxiety or whatever, and therefore there is no automatic compensation for a mere data breach. So each issue will be fact specific.

Thank heaven for some sense in this thread. 

Something most people have missed is that the hotel (or whatever business) should not be storing card numbers at all. 

When a transaction is processed, the processor generates a token that represents that transaction and can only be used to refund all or part of the transaction. There should simply be no need to take details for a refund (unless the token has expired - which is unlikely here). That they did and apparently stored them is in itself a breach of regulations, let alone possibly a breach of data protection principles.