The DPC received a number of queries regarding new or existing customers being requested by Vodafone to produce their employment details and work phone number as a requirement for the provision of service by that company.

The concerns arising were that the requests were excessive and contrary to the Article 5 principle of lawful, fair and transparent collection as the processing of data relating to their employment status was entirely unrelated to the product or service that they were receiving from the telecommunications company, which was for their personal or domestic use only.

Second, there were concerns that the mandatory request for a customer’s occupation/place of work/work phone number was not adequate, relevant or necessary under the “data minimisation” requirement and did not meet the purpose limitation principle as set out in Article 5 of GDPR. Third, there were also concerns amongst customers that the company’s data protection/privacy notice did not comply with the transparency requirement of GDPR Article 13(1).

Following engagement with the DPC, Vodafone admitted that it had made an error in the collection of this information. The company stated that the problems were caused by a legacy IT system that had not been updated to remove this requirement and that any access to the data was exceptionally limited and was not used for any additional processing purposes by them. Vodafone immediately commenced a plan to remediate the problems caused and, on the insistence of the DPC, published on its website the details of what had occurred, so that customers would be aware of the issue.