This is actually incorrect, GDPR does require explicit opt in when it comes to personal data, if consent wasn’t previously given in this way then it has to be asked for.
Normal banks do not even give out information if you ask them, is person X a customer with you.
Revolut not only shares this info with any and all contacts you happen to have in your phone. it also manages to mess the contacts upp pretty badly by making empty duplicates.
There is little use for it and pretty unproffessional handled either way if are within legal limits or not its sloppy behaviour.
They have applied for a banking license so there might yet be some hope.
Which you gave when you agreed to the terms of service and again when you gave access to the contacts in your phone.
After that. Such a functionality does not require an opt out.
Perhaps legaly true, yet braindead thinking if they want to become a real bank.
What i have wondered about is that they put "xyz owes you " as descriptio when you request money from them any contact. Their full name is used even if you don’t have it in your contacts
Yes, it does.
Taken from the Information Commissioners Office checklist in the UK:
Tell individuals they can withdraw their consent.
Ensure that individuals can refuse to consent without detriment.
Avoid making consent a precondition of a service.
Not really, they can operate to the letter of the law and the government can’t say anything wrong, because they follow the law.
Also can you mention exactly what about this feature is personally identifiable information, that it requires explicit consent to process, and not just ToS agreeance?
I’d argue that this isn’t really detriment as it causes no disadvantage
Doesn’t matter, you could argue all you want - the fact is that the law states there must be an option to opt out. This law applies to all EU member states, not just the UK.
Must be an opt-out if it requires processing personally identifiable information. Trust me, if there was an issue with it Revolut’s lawyers would have mentioned it. If you don’t like it, close your account or sue them
As others have said:
They’re not though, if it breaks GDPR you can take them to court. If you can’t take them to court it doesn’t break GDPR and you don’t have any leg to stand on legally. Close your account or take them to court.
Do you work for revolut? Is that their official answer?
It’s not something they’ve commented on or acknowledged as being a problem, so I imagine so. I don’t work for Revolut.
@Recchan, what losses would you claim for in a County Court claim in respect of such a breach of the GDPR? A court is not going to award damages without financial loss having been suffered. In most cases, such a breach of the GDPR is unlikely to result in financial loss, but that doesn’t mean that there was not a breach.
Revolut is based in the United Kingdom, where data protection is governed by the Information Commissioner’s Office, which gives guidance on the definition of personal data:
Publishing identifiers (e.g. names) of customers could be a breach of the GDPR. As explained at the top of page 9, telephone numbers are potential identifiers of an individual.
Where a breach of the GDPR has not resulted in financial loss, the only effective remedy is to report the matter to the Information Commissioner’s Office, who can fine the organisation concerned.
Exactly, which would also open the door to every other EU country where Revolut operate fining them. They would probably wave goodbye to any EU banking license being granted also.
Which in itself is of great concern. They should make an official statement, instead of relying on unqualified customers to guess for them.
That’s a relief
All data is stored on your phone and it uses the identifiers from there too thus all the information is available to you and not necessarily identifiable when it comes to names. As for phone numbers, that’s probably Google’s GDPR responsibility assuming you use them to store it, otherwise no one else’s?
I’ll repeat it again:
Report them if there’s such an issue