Dear Sir or Madam:
I recently received a mailing from you.
I’d like you to send me a copy of the personal data you hold on me.
I am particularly interested in where you obtained my name and address from.
The numbers on your mailing are
I’d like you to explain what these mean.
Dear Mr xxxx
Thank you for your email. Firstly, we can confirm that we do not have any of your personal data on our records of any kind.
The recent Christmas appeal which you received, was sent out as part of our Christmas campaign. During this campaign, we purchased some contact details from a third party supplier for temporary use – these details are not stored on our database and are no longer in our possession.
In this instance, your details were selected for The Christmas Appeal – which also includes a Christmas appeal reminder which you are likely to receive in the next 2-3 weeks, and, unfortunately, as the mailings are selected far in advance, it is not currently possible to prevent this mailing from being sent. Please accept our sincere apologies for any inconvenience this may cause you. However, we confirm that we do not hold any of your data on our database.
The DM code you have listed below indicates that your details were temporarily given to us for a one-off use.
The XA code you supplied is your reference number is not stored on our own system in any way.
What a great reply! We don’t have any data on you; we did have a while ago to send you an unsolicited letter but it was only held temporarily and besides we bought it from someone else. We’ve checked the reference numbers you gave us even though we don’t have them on our systems.
And we won’t be processing your data while we hang onto it for 2 to 3 weeks so we can send you a reminder about the unsolicited begging letter we just sent.
Am I the only person who finds this unacceptable? Or is this the norm for the charity sector? Just for clarity the ICO says
“Processing in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data”
So that’s 3 processing operations at least – obtaining, mailing and holding. Maybe even destruction if in fact they do delete it. (Next Xmas will tell me this). The ICO doesn’t give an exemption for ‘temporarily” processing it.
When Christmas (the season of good cheer and peace to all data subjects) arrives, is it part of the festive spirit (or even lawful?!) to buy a wodge of names and addresses that you have no relationship with and then mail them two (count them) begging letters; and when someone makes a subject access request say, “We do not hold any data on you – we did last week but it’s disappeared. We might hold it again in a week or two but only for a short time and then it will disappear again.”
This organisation is a good organisation. I support their aims and like listening to their brass bands outside supermarkets in the run up to Christmas, but I find their marketing activities dubious. It may just affect my giving to them this year.