Skip to content

Instantly share code, notes, and snippets.

@musalbas
Created July 19, 2018 11:47
Show Gist options
  • Save musalbas/15420ee8318347a76a0fb3a120825e00 to your computer and use it in GitHub Desktop.
Save musalbas/15420ee8318347a76a0fb3a120825e00 to your computer and use it in GitHub Desktop.

Dear British Airways,

I am concerned that you have not handled my personal information properly.

Recently, I tried to check-in online on your website, but the interstitial page did not redirect me, and thus I was unable to check-in. I discovered that this was because my adblocker was enabled. After disabling my adblocker, I discovered that your check-in page was leaking my booking reference and surname to countless third parties for advertising purposes, including Twitter, LinkedIn and Google Doubleclick. I've attached for some network logs from Chrome's web developer console for some example evidence.

I do not recall explicitly consenting for my information to be shared in this way, nor do I see any way to opt-out or withdraw my consent. This all appears to be a violation of article 7 of GDPR for conditions of consent, which states "where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data" and "the data subject shall have the right to withdraw his or her consent at any time".

Note that even though your privacy policy states that you may share my personal information with third party advertising agencies, you must still ask for consent explicitly. Article 7 of GDPR states: "if the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language". I do not recall being requested for consent for you to share my data with third parties in a clearly distinguishable way.

Therefore the following questions arise:

  • Why did you not explicitly ask for my consent to share my data, in a clearly distinguishable way?
  • How do I exercise my right to opt-out from consenting for you to share my data with third parties for advertising purposes, in accordance with GDPR?
  • How will you remedy or compensate customers who have had their privacy rights violated because you have not explicitly asked for their consent?

Finally, under article 15 of GDPR and the UK's Data Protection Act, I would like to exercise my right to request a) all the data that you hold about me and b) a list of the recipients to whom my personal data have been or will be disclosed.

I understand that before reporting my concern to the Information Commissioner’s Office (ICO) I should give you the chance to deal with it.

If, when I receive your response, I would still like to report my concern to the ICO, I will give them a copy of it to consider.

You can find guidance on your obligations under information rights legislation on the ICO’s website (www.ico.org.uk) as well as information on their regulatory powers and the action they can take.

Please send a full response within one calendar month. If you cannot respond within that timescale, please tell me when you will be able to respond.

If there is anything you would like to discuss, please contact me at [email protected].

Yours faithfully Mustafa Al-Bassam

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment