To think this is a breach of GDPR?

[Newschapter]

I last attended a certain weightloss group five years ago.

However over this time I have received the odd text message about certain offers or 'reminders' about things. I have never replied to them nor attended group.

I am aware it might not annoy some people but this evening I got a massive text message from a consultant (not one whose group I have ever attended!!) reminding me that this slimming club is there for me, cheaper than usual and weighing in from home, how they'd love to welcome and hug me and that their bars can now be ordered "straight to your door"

It has (perhaps irrationally) angered me.

For a start, they still have my data five years on? It has been shared to another consultant/team developer and this is who messaged me.

I do have issues with this brand mind you, I left and joined a gym and have never felt better without the guilt of eating or banning certain foods.

But I want to reply asking them to remove my data and telling them they've breached gdpr - but am I right? Happy to accept I am wrong.

(I am aware there are worse things happening in the world but this triggered me this evening)

They haven't breached yet because you haven't told them to remove your details.

Yeah, I don't think that's a breach, tbh. They're sharing it within the company and using it to contact you about their services. That'll be within the terms you agreed to when you signed up.

But you should definitely ask them to remove you now. And any future correspondence would be a breach.

No breach. You are on their mailing list because you didn't ask to be removed.

I was never contacted and asked if I wanted my details removed?

I will do that now.

I think they have breached as you should have been sent a msg specifically asking if they could keep your details when GDPR was updated.

You should have nipped this in the bud long ago though.

I don't think this is a data breach either, OP. You gave your details to (I assume SW?) and they're using them.

Surely it's (kind of) the same as buying an item online and the company using your email to send follow up emails e.g. deals, free shipping etc etc.

I'd contact the weight loss group and just explain that you've not been to group in a few years and can your details be removed.

I agree I should have but never felt strong enough.

I've had counselling since and have recognised the negative feelings provoked by certain things.

I will message and ask for my details to be removed from the database.

I know in work we had emails from outside agencies at the height of the GDPR and we had to reply if we wanted to remain on their lists.

This seems to be different.

OP that was my understanding
Prior to GDPR coming in, they should have contacted you and asked if you’d like to stay on the list.

I recall getting gdpr messages a couple of years ago from all sorts of places asking me to opt in. Loyalty cards I hasn’t used for years, that sort of thing, as well as companies I was still using such as Waitrose, Nectar. So, I don’t think that data from five years ago should still be knocking about, and this new woman shouldn’t be having access to it. That said, the woman is probably unaware of the position so it’s not her fault.

I thought when GDPR came in, data holders had to ask each person for permission to continue to hold this data. If they received no response then it was effectively a refusal of permission.

No, companies only had to contact you if you hadn't already given permission to be on their mailing list.

I assume that when you sign up for SW or whatever it is, you do give permission for them to email you, so they wouldn't have needed to ask you again when GDPR came in.

I have spoken to an acquaintance who is a former consultant and she said they were all told to update their records in the wake of GDPR to ensure all former members were removed.

I replied to th message asking to be removed from their list and said it's port that they still have my details, to please remove them and don't contact me again.

Job done. And if I am contacted again I will report them for a breach.

Said it's poor they still have my details.

Sounds like they didn’t do the GDPR data exercise. They should have either asked you explicitly if you want them to keep your data for x y and z purpose, or told you they would unless you objected and given you the means to remove yourself from their list.

I wouldn’t get up in arms about it with a small business like that, just ask them to remove you.

Does this really matter in the grand scheme of things?! Just ask them to remove your data.

@lsleepinahedgefund I wouldn't call SW a small company at all. Perhaps some groups/franchises are small, but the company is far from it.

The person who messaged me is a team developer who I remember from my time in the group, she used to visit the group to recruit consultants. So she would have been aware of GDPR as it would have happened during her time with the company.

Hopefully it won't happen again. Like I say, I realise in the grand scheme of things it isn't really a biggie but surely if someone hasn't returned in FIVE years, you don't send them a message during lock down reminding them to be careful that they don't gain any hard lost weight? Like that's at the forefront of people's minds....

FFS!

Breach. There is no reason for them to store your data for this amount of time.

If you agreed at the time to contact and never asked to be removed I wouldn't say its a breach no. If they continue to contact you after you've opted out then it would be though.

you don't send them a message during lock down reminding them to be careful that they don't gain any hard lost weight? Like that's at the forefront of people's minds....

It's at the forefront of many people's minds

Lots of people working from home/furloughed/comfort eating/not being able to visit the gym etc.

I work in data protection. No, this doesn't constitute a data breach. Nor does it fall under GDPR. SMS marketing is covered by PECR (Privacy and Electronic Communication Regulations),which whilst utilising the GDPR definition of consent, stands completely separate from it. The ICO provide some useful guidance on their website about what is and isn't permissible under PECR. It isn't my area of expertise, but I should imagine when you signed up originally this kind of text marketing will have been covered in the agreement. Now that you've opted out they should cease. Even if they didn't, it wouldn't constitute a data breach but they would be breaking the law. It's worth understanding the facts properly before making any kind of complaint

I think the folk who’ve said that you need to specifically opt in are correct - SW should probably have contacted you round about the time GDPR was being introduced. I also think the company should have a data retention policy where it’ll state how long they hold people’s details one they’re no longer contracting with you, in your case selling you a service.

That said, it’s perhaps an over-reaction to go down the road of a legal breach. Why not just email them and state very clearly that you want no more contact?

Thanks all for the replies.

I haven't made a complaint, I just asked to be removed from their list.
I've had a response to say it will be done ASAP.

So all done now. Ta.

They should have asked you to opt in - rather than opt out - of their communications (as people have said). It’s not exactly the end of the world - when the rules came in people were very confused!

Ask them to permanently remove your details and confirm that this has been done.

So many posters really don't have a clue. All lists had to be contacted and asked to specifically opt in, and the only data they were allowed on file had to be absolutely necessary in order to contact you, and that is ALL they are allowed to do with it.

Your data has been shared (or sold) without your permission and it's a clear breach of GDPR.