Wednesday 19 June 2019

Hairdresser told customer she couldn't get details about hair dye due to 'GDPR concerns'

  • Office of Data Protection Commissioner tackle some of the 'colourful myths' about GDPR
  • Another case includes paramedics not being allowed medical history of patient at nursing home
  • Complaints to the office have more than doubled since GDPR laws introduced a year ago
Stock picture
Stock picture

Markus Krug

A hairdresser refused to tell a woman the brand of hair dye she used on her due to GDPR concerns, it has emerged.

In a blog, the Office of the Data Protection Commissioner (DPC) cited this example as one of the more "colourful myths" when it comes to General Data Protection Reguation (GDPR).

The DPC's office - which handles complaints and queries relating to GDPR from members of the public and individual organisations - says a woman contacted them claiming "data protection prevents my hairdresser from telling me what hair dye has been used".

The customer wanted to know which exact colour and brand of hair dye was used before moving to a new hairdresser.

She claimed her existing hairdresser refused to give her the details, citing concerns over data protection.

The DPC stressed that “that not every request for information is an access request for personal data under the GDPR, especially where the customer clearly didn’t intend to or indicate that they wanted to make such a request.”

Similar myths around data protection are based on cases like a management company being denied confirmation about a potential fire in one of their apartment blocks by the fire brigade and a case of paramedics being denied the medical history of an unconscious patient over GDPR concerns.

The DPC argued that in both cases there would not have been any legitimate concerns over data protection.

While the confirmation of an event does not include personal data at all, “the vital interests of the patient” in the other case would have outweighed the protection of personal data.

Just two weeks ago, RTE's 'Liveline' programme heard how litter bins were removed by An Post from the GPO, with the company citing fears litter in the bins could amount to a 'data breach'. The DPC since clarified that litter in a bin is not data.

When it comes to the overall changes since the introduction of GDPR, a number of trends are emerging.

Most of the complaints made to the DPC related to retail banks, telecommunications companies and internet platforms.

Personal data, unauthorised disclosures and direct marketing are among the type of complaints made by members of the public.

Since the introduction of GDPR laws on May 25 last year, the DPC have received some 6,051 complaints.

For the 12 months before the introduction of the new laws, that number stood at 2,642.

In addition to the high number of complaints, the DPC has also seen an increase in data breach notifications from organisations and businesses.

Under the GDPR, every data controlling organisation is now legally required to notify the DPC of any potential data breach that occurs. Since May 25 last year,  some 5492 notifications were made to the commission.

Most of these breaches can be traced back to human error. One of the most common cases is an email, text, letter or correspondence sent to an incorrect recipient.

Online Editors

Also in Business