
British Airways shows how not to GDPR - cpncrunch
https://techcrunch.com/2018/07/19/british-airways-shows-everyone-how-not-to-gdpr/
======
hodgesrm
Major props to Mustafa Al-Bassam for his letter to BA. It hits all the points
of a classic complaint letter including overall polite tone, citations of
applicable law, and asking for a written response within a specific timeframe.
IANAL but this looks like a 10 for 10 effort.

Definitely worth favoriting this in case you need to write your own complaint
letters in future.

~~~
mikekchar
My only real complaint about the letter is that he assumes the use of the data
is under consent lawful basis. While, I can't imagine any other lawful basis
that would work, I think he should have explicitly asked, "Under what lawful
basis are you sending this data to these parties". Similarly he should have
said, "I don't remember being informed that you were using these data
processors. Can you send me the statement that I agreed to". Even under
contract lawful bases you _still_ have to inform the customer when you send
data to a third party, so this is really important.

~~~
AstralStorm
Easy: they shouldn't be sending the data if there is no lawful basis for
processing. This is an offense that is subject to fine if repeated.

Saying "I do not remember" puts the burden of proof on you. Meaning you get
ignored.

He is stating that he was not informed properly which press the burden of
proof on the airline.

To be compliant under consent rule, there are some rules to be met. For
example, there can be no implied consent or implied notification about
processing the data. The parties that process the data have to be exactly
named including the rationale for providing the data to them. Some kinds of
processing has to be ottoman as in service has to be provided even when the
person does not give consent. (in case of transportation, this likely applies)

~~~
mikekchar
Not to press a point, but there is nowhere that BA is saying that they have
consent. The question is under what lawful basis are they using that data. If
it's consent, then where did I consent? If it's not consent, how do I object?

Keep in mind that consent is only one of the lawful bases. You _never_ have to
get consent to use data. In fact, if you are doing things correctly, you will
never need consent. You can't assume that they are using the data under
implied consent -- there are lots of lawful bases that they can use instead
and they need to explain why they used them.

------
dvfjsdhgfv
How ironic it's coming from TechCrunch.

