The CBP has been discovered that the NS travel of the ov-chipkaarthouders in detail captured and the data without permission used for marketing. Were also addresses of anonymous cardholders collected.
With the use of the reizigersgegevens has the NS, the personal data protection Act breached. In the meantime, the company has, however, adequate measures have been taken, sets the CBP. A penalty on the offense called the organization. The NS used a lot more data than allowed, the data had to be reduced to persons, there was no consent of the customers and the passengers were not informed, it is the hard conclusion of the investigation report of the privacy watch dog.
Transport companies are only allowed to so-called derivative data processing: the trip frequency, the length of time since the last trip, or passengers travelling within or outside of the rush hour travel, voorkeurstrajecten and voorkeursstations. The NS collected, however, also name, address and place of residence in combination with gender, age, and subscription, and transaction information such as check in and check out, the date and time of the transaction and the balance before and after the transaction.
Moreover, it used the NS e-mail addresses of travelers with an anonymous ov-chipkaart, which is traveling at balance via the website of the NS activation. “As a public transport company an anonymous ov-chipkaart offers you, the traveller should be able to assume that the company can be traced back to the natural person”, in the report. The NS would be the data is now erased and the activation via the website has made it impossible to have.