The Kingdom Tower

Management blog

It is better not for companies to secretly monitor their customers

This week it came out that the car rental company Europcar had to pay a fine of 54,000 euros for violating data protection. For several years, Europcar had installed GPS systems in premium-class rental cars and was therefore able to locate the location of the car at any time. In addition to the location, the date, time and speeds were also recorded - and all of this without the tenant's knowledge.


The case is now relevant in terms of data protection law because, thanks to the data collected, it was possible to create a comprehensive movement profile of the car renter. Europcar's motive for the surveillance campaign was clear: it was about securing its own vehicle fleet against theft and against the dangers of use contrary to the terms of the contract. That is certainly understandable from an entrepreneurial point of view. But from the point of view of data protection law, Europcar must be able to demonstrate a so-called legitimate interest, which must also outweigh the interests of the tenants if such tracking is to be permitted.

Christoph Rittweger, partner and head of the IT team at Baker & McKenzie


Since the tenant interests were monitored in such a way, regardless of a specific suspicion, in the event of such a significant interference with personal rights - typically, the tenant's consent is typically the only means of making the monitoring lawful.

Car rental companies and landlords of other premium items who want their rental items to be monitored will therefore have no choice but to show transparency: they must inform their customers in advance of the intended monitoring and obtain the consent of the tenants - or on their monitoring or renounce the rental to them entirely if the tenant refuses to give their consent.

British Airways' ideas are heating up the minds on the island

However, not only mistrust in one's own customers, but also measures that are supposed to serve to improve service and promote customer satisfaction can have pitfalls in terms of data protection law. This is shown, for example, by British Airways' plans to compile data on its passengers in order to get to know them in advance. The airline not only wants to hoard general group-internal data about flown routes or booking modalities, but also personal information such as previous menu choices or previous complaints. The personal dossier, which is to be transmitted to the flight attendants via tablet PC, is to be rounded off with photos of the passengers, which are recorded through research on Google.

A personal greeting may be flattering for passengers and make them feel like they really are king. But at the latest as soon as sensitive information is researched and used - such as indications of food intolerance, for example - the customers should, despite all the advantages of a personalized service, creep a queasy feeling. Privacy advocates in the United Kingdom are also storming British Airways' plans.


Companies should keep their hands off the secret collecting and linking of publicly available data via Facebook and Google

This uncomfortable feeling also corresponds to a legal rule: Because data protection laws in the EU are based on a strict purpose limitation and transparency in the collection and use of data. If data that is collected in the context of a business relationship is to be used beyond the requirements of entering into, fulfilling or terminating the contractual relationship, this is only permitted within limits.

The same applies to the linking of such data with data that are publicly accessible on the Internet. Such a use has to be weighed against the personal rights of the customer, even with the legitimate interest of the service provider to improve the service. Combining information into a comprehensive profile, including information from various sources - I am thinking of the Facebook option - should no longer meet this requirement.

Such measures are also only permitted if the customers first receive transparent information about the specific intended use of data - and if necessary they give their consent.

Four years from now, corporate data breach fines may increase to as much as two percent of annual global sales

Service providers should therefore be sensitized to the requirements of data protection law when using data for their own business purposes and, if in doubt, inform their customers about their plans in advance. And - if necessary, obtain customer consent. Especially when the use of data goes in the direction of creating profiles. Incidentally, when the new European data protection regulation comes into force - currently expected for 2016 - there is a risk of severe fines in the event of violations: the upper limit can then amount to up to two percent of global annual sales.

Category: General | Tags: Baker McKenzie, British Airways, Christoph Rittweger, Europcar