GDPR in Action - Orange

Now that the GDPR is in effect, I decided to use it to see what kind of personal data some companies are storing about myself.

The first company I got in touch with is Orange. In case you don't know, Orange is a French telecommunication company that sells - among other things - Home Internet and Phone subscriptions.

I've had multiple mobile phone subscriptions with Orange over the years, so I figured they might be having some interesting data to look at.

Step 1: Right of access

The first step was to read Orange's privacy policy:

Vous pouvez exercer vos droits à tout moment, ainsi que contacter le Délégué à la Protection des Données personnelles aux adresses ci-dessous.

Toute demande d'exercice de vos droits doit être accompagnée de la photocopie d'un justificatif d'identité (carte nationale d'identité délivrée par l'Etat français ou carte d'identité de l'union Européenne ou passeport, carte de résident délivrée par l'Etat français, carte de séjour délivrée par l'Etat français ou livret de circulation délivré par l'Etat français). Une réponse vous sera adressée dans un délai d'un mois à compter de la réception de votre demande.

Basically "To use your right of access, please send us your ID at the following address and we'll get back to you within a month". It sucks that you cannot contact them directly online... but let's follow their instructions!

On the 28th of May, I sent Orange a letter asking for a copy of all data they have about myself... without forgetting to include a copy of my ID in the letter!

Step 2: Wait, who are you?

A few days later, I received a letter from Orange acknowledging my request but notifying me that they failed to identify myself in their system. In order for them to do that, I would need to provide them with some contract references so they can look them up.

I found it surprising that they couldn't find my previous contracts through my identity since I had to provide a copy of that same ID when signing up. Anyway, I sent them my client account numbers for multiple subscriptions that I've had with them in the past.

Shortly after, I received a new letter saying that they managed to identify myself in their system and that they would get back to me with the data I asked for within a month.

Step 3: What data?

Now yesterday I received a phone call from an Orange representative telling me that they are looking into my request and would like to know what kind of data I want to receive a copy of.

"Any personal data" wasn't an appropriate answer, apparently. I'm not sure how I am supposed to know what kind of personal data they store if they don't even know that themselves :x

I asked to be granted access to the location data they are storing (the same ones that can be requested by a judge to determine your whereabouts) but they could only tell me they would need a validation from their legal department in order to do that.

Ultimately I was told they could send me the following information:

• Details about the previous requests I made to their customer support
• Detailed call logs

That seem quite cheap compared to what I could guess they store. I'm honestly quite surprised I was asked to pick what data to get without being given any suggestions.

I'd be curious to know whether this complies with the GDPR.

To be continued...