
Ask HN: A company just shared my contact details without asking me what do I do? - SamWhited
A company called Pana that schedules travel for interviews just reached out and told me they shared my information (presumably this means email and phone number, but I&#x27;m not sure) with Uber so I could book rides. Uber is a disgusting company that I want nothing to do with, and I certainly don&#x27;t want them to have my email (they&#x27;ve already sent me one email since Pana shared my information). I did not sign an EULA or similar for Pana, Uber, or the company I was interviewing with.<p>Can they really just share my information like this? Do I have any recourse?
======
matthewdumler
First, I don’t have an answer, but I’m commenting because I was reminded of a
recent experience I had.

Last week, I turned down a job offer, and it was largely influenced by the
information the hiring agency, which the company went through, required me to
provide. They wanted all kinds of information about me, and it was clear it
was almost entirely unrelated to the company offering me the job. They simply
wanted to add me to their line of products, whether I wanted them to advertise
me or not. If I didn’t provide the information, I didn’t get processed.

Needless to say, I’m happily looking for employment elsewhere. I firmly
believe this is both wrong, and a practice which should be illegal. If it
isn’t already?

~~~
BjoernKW
Well, it is in the EU. GDPR commonly is perceived as applying to online
businesses alone, which of course is wrong.

As a company you’re only allowed to ask for and record the data that’s
required to conduct the business at hand. Otherwise, you have to tell your
customers how their data will be used.

This of course absolutely applies to traditionally offline businesses such as
recruitment agencies as well.

------
ajeet_dhaliwal
Given they schedule travel on your behalf, and don’t actually provide
transportation themselves, how would they be able to do this without sharing
your information? Not saying what they did is necessarily right but this seems
like a legitimate need. Seems like they should have made it clearer from the
outset that they would do this though so you were in the know.

~~~
SamWhited
They probably can't, but they should ask permission first. I didn't sign an
EULA or anything that asked if they could share my information with Uber.

------
hluska
Two (somewhat competing) thoughts:

1.) In the grand scheme of things, a company that books travel sharing your
info with a company that provides rides isn’t the worst thing to ever happen
in the world of privacy and interviews. You could take the nuclear option,
which would involve naming and shaming Pana and potentially writing some
letters. Depending on where you are, this could violate some privacy
legislation. Or, you could decide that wasn’t too far out of line and merely
ask Uber to delete your info and stop emailing you. And, you could keep the
nuclear option in mind if they don’t respond.

2.) Anecdotally, the interview stage is the best that a company will get. If
they’re already doing things you consider sketchy, I promise that things won’t
magically get less sketchy when you take the job. I can think of two
‘opportunities’ I could have saved myself from if I had internalized that
lesson.

~~~
SamWhited
I don't think the company I'm interviewing with did anything sketchy, to be
clear. They just used yet another garbage startup that's solving a problem
that doesn't exist, making the process harder, and can't be bothered to have
any responsibility or consider that sharing someones contact details or
setting up an account for them without their consent is not okay. It's Pana
that's absolutely not okay in my book (although I suppose it's reasonable to
say that the company I'm interviewing with should have seen this and avoided
them).

------
cpach
Which country are you in? In the EU this could potentially be a violation of
GDPR.

~~~
SamWhited
It doesn't matter really; so far my entire experience with GDPR is that people
just claim they think you're not in the EU and tell you they won't remove any
of your data (AirBNB did this for friends who tried to get their data deleted,
and I've seen similar things from a number of companies who want proof that
you're an EU resident, but I'm obviously not sending them even more info like
a passport just to convince them to delete my data). I wish the GDPR had any
teeth, but companies for now seem to think it doesn't.

~~~
danieka
I does have teeth, but you need to be willing to sue the company to force
removal. Data protection agencies are swamped with complaints so you have to
take things into your own hands. Article 79 opens up for civil action against
data controllers that refuse to obey the GDPR. Data subjects can sue for
compensation, but are probably not restricted to compensation. It's a
reasonable interpretation of the GPDR that you can sue for deletion.

At the very least your friend should submit a complaint to his country's data
protection agency.

In your case I absolutely think that you could have a valid claim for
compensation. But the devil is in the detail. For example, on what legal basis
is the company you interviewed with processing your data? On what basis is
Pana processing it? If you're genuinely interested in trying to claim
compensation you can reach out to me and I can give you some directions and
reading tips.

EDIT: IANAL, but I work with data protection questions.

