The new online ordering system used by the Refter violates the user’s privacy. It collects personal data without a legitimate reason and it is not possible to look into the terms and conditions. The Radboud University (RU) is aware of the violation, but will not stop using the system.
Since the beginning of the academic year, the Refter has been using an online ordering system. To place an order, one has to fill in their first and last name and their email address. ‘This is against the General Data Protection regulation (GDPR), because the information is not all necessary to place an order’, says Bart Jacobs, professor Interdisciplinary Hub for Digitalization and Society at RU.
A bigger problem is that the terms and conditions are missing. Those have to be accepted in order to be able to place an order. ‘You have to accept the conditions while not being able to find out what they are’, Jacobs states. Because the conditions are missing, it is unclear what is done with the collected data. This too is a violation of the GDPR. The university has been aware of the violation since September 16 because of a notion by Frank van Caspel, lecturer Philosophy of Behavioral Sciences at RU. The system however remains unaltered, which leaves RU at risk for receiving a fine.
Violation of privacy
‘In privacy law, purpose limitation and data minimisation are important criteria for processing personal data’, Jacobs says. ‘De processed data have to be essential for the admired purpose and therefore be minimal’, he explains. The personal data that is asked for when you are placing an order at the Refter, is unnecessary according to Jacobs. ‘An email address can be useful to get a confirmation of your order, but that should be sufficient. To pick up the order, a recognizable name could be useful as well, but that could also be “Pippo”, so to speak’, the lecturer continues. ‘Your last name and phone number are not necessary, yet they are still asked for.’ In order to create an account on the website, one has to fill in even more than only their email address and first and last name. It is also necessary to fill in your address, postal code, city, country and telephone number. Collecting all of this data is a violation of the privacy law.
Besides, the terms and conditions are not available for the user to read: ‘There is supposed to be a link you can press to read the terms, but it is not there’, Jacobs says. Therefore it is unclear what the data is used for, though this has to be clear according to the requirements of the AVG. Upon inquiry, checkout company Eijsink turns out to process the personal data. ‘Eijsink should throw out the data after a day, as they are only used to send a confirmation of the order. It is unclear whether this happens, because there are no terms and conditions’, the lecturer explains. ‘It could be possible that Eijsink uses the personal data from guests at the Refter for their own purposes. Maybe they are sold to other parties or maybe people will get all kinds of advertisements on their email address’, he concludes. ‘It is no murder case, but it is messy that Eijsink did not think about privacy and that the university lets it happen, as they are the party accountable for this.’
Fine
Although the university outsourced the ordering system to Eijsink, she still risks getting a fine. ‘The problems concerning personal data and missing terms and conditions have to be solved by Eijsink, but the RU is responsible for that truly happening’, states Jacobs. In doing this, both parties are breaking the law.
The Data Protection Authority (DPA) (Autoriteit Persoonsgegevens (AP)) monitors compliance with the GDPR and issues out fines in the event of violation. ‘The problem is that the DPA is too busy to hand out so many fines, so the risk of getting one is low,’ says Jacobs. However, the severity of the risk should not matter at all. The university has to change the system because it is illegal,’ Van Caspel states.
Notifying the problem
In September, Van Caspel first reported to the RU that the Refter’s ordering system is against the GDPR. That was the starting point of his mission to take this system offline. ‘I have addressed the matter with those directly responsible at the Refter, my local privacy officer, the chief privacy officer of the university, the independent data protection officer, the external party that keeps the system up and running, and even the Executive Board is involved’, says Van Caspel. ‘I have done everything I could, but the system is still up and running,’ he concludes.
According to Ronald Sarelse, Data Protection Officer at RU, a solution is being worked on. ‘Eijsink has indicated that filling in the first and last name remains necessary. We will discuss this with them further,’ he says. When asked why the system has not been taken down in the meantime, he replies: ‘We have established that the risk for users is low. It is not special data and not much can be done with it. In addition, people do not have to use this system to eat at the Refter.’ He also confirms that the risk of a fine is indeed low, but according to him this is not the motivation to keep the system online.
This article was published in Dutch on November 17th 2022.