Back in 2011, I sold all of my shares in my former employer and used the money to buy solar panels. I closed my account at the same time. Or so I thought
Fast-forward 9 years, and I was surprised to receive an unwanted email from the corporate shareholding service. It was some nonsense about their corporate rebranding.
I dropped them a note saying that I hadn’t been a customer for many years and that I was pretty sure they were breaching GDPR. They did not agree:
We can confirm your account will be retained for a period of six years, dated from when the holding drops to zero. This is in line with record keeping requirements under General Data Protection Regulation.
Please note, should you contact us within that time or access your account online, the six year period will reset.
I told them that it had been longer than 6 year since my balance dropped to zero, and I hadn’t logged in since. They replied bluntly:
We can confirm that we are currently unable to delete your account.
My reply was equally blunt “Please escalate this to your Data Protection Officer”.
A week later, they capitulated:
Following a review of Computershare’s records, I confirm that you have not accessed your online account or contacted Computershare regarding your shareholding since the above mentioned date. Therefore, Computershare should have processed your request to delete your account. Please be advised that the information provided in Computershare’s email of 26 October 2020 was incorrect and your account is available for deletion in accordance with GDPR.
Please accept my apologies for the poor level of service that was provided to you on this occasion. I am sorry to say that this has fallen well short of the normal high standards we expect and I assure you that the appropriate action will be taken to prevent any instances of this nature from occurring in the future.
In light of the above, I have upheld your complaint and arranged for a £25.00 ex-gratia payment to be issued you your registered bank account as a gesture of goodwill.
Of course, they sent the money to an account I’ve not had for over 5 years…
£25 is a small amount of money to them – and in truth only gets me a bonus takeaway. But if enough people start pushing back, complaining, and demanding compensations – perhaps these incompetent companies will start taking data protection seriously?
Perhaps I should have asked for more? But what loss or harm have I suffered? The main problem is that it has increased the attack surface against me. There’s yet another database containing my data. That means one more target for those who are trying to scam me. I want my data on as few systems as possible and, ideally, under my control.