Data rights group files GDPR complaint against airline for ‘charging customers £35 to update their data’ 

Non-profit data rights group None of Your Business (Noyb) has filed a GDPR complaint against Wizz Air after a customer was hit with $35 in phone charges to update her personal data.

Noyb – founded by Austrian activist Max Schrems –told the Austrian Data Protection Authority that the low-cost airline failed to allow subjects the “right to rectification” causing “disproportional effort on the complainant’s side.”

According to the complaint document published on Noyb’s website, a passenger in 2019 attempted to contact Wizz Air to change the airline’s data on her name and email address but was met with what Noyb describes as “a systematic failure to deal with the right to correct personal data without undue delay and free of charge.”

After submitting a “rectification request” with Wizz Air’s Data Protection Officer (DPO), the passenger was ignored for three months, before submitting a new request using Wizz Air’s company contact form. She was told she could only change her surname online if she was married.

The passenger’s name was only changed after she was had racked up €35.67 in phone charges. Noyb argues this contravenes Article 12(5) of the GDPR which states that a copy of the information must be provided to the data subject free of charge unless the request is “manifestly unfounded or excessive”. In which case, the controller can charge the data subject a “reasonable fee”.

Noyb believes Wizz Air has clearly breached GDPR guidelines.

“By forcing customers to call their expensive hotlines for changes, Wizz Air fails to let customers exercise this ‘right to rectification’. The case of the passenger is not an isolated one. Other Wizz Air customers have complained about similar issues too (for example here),” the non-profit states on its website.

Ala Krinickytė, a data protection lawyer at Noyb, said:

“The GDPR states controllers should take ‘every reasonable step’ to ensure that data is accurate. In this case, it feels like Wizz Air failed to take any steps at all. The request for rectification is probably the least contentious data protection request a data subject can submit to the controller. Especially with airlines, it is of great importance that their passenger lists matches the passports. They make things more complicated and costly than necessary.”

The complaint is the most recent move taken by privacy activist Max Schrems who took Facebook to the Court of Justice of the European Union (CJEU) earlier this year in a long battle against the US’s inadequate protection of EU data.

PrivSec Report has contacted Wizz Air for comment.

Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.

Reserve your place today and gain access to the entire event free of charge. With all sessions available to view live or on-demand, you can build a personalised agenda based on your key focus topics and make the event fit around your work schedule.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.