Just emailed firstname.lastname@example.org
It has come to my attention that when someone puts Truecaller on their mobile phone, they are supplying Truecaller with ALL the phone number and name data in their phones database.
Truecaller then uses that information to tell other users who it thinks any particular phone number belongs to.
My point being that this is a breach of personal privacy, and Truecaller seems to be Swedish.
"Copyright © 2009-2016 True Software Scandinavia AB. All rights reserved. Truecaller™ is a registred trademark.
Responsible publisher: Alan Mamedi appointed by True Software Scandinavia AB. Database name: Truecaller.com "
Example - John uses Truecaller.
John has a friend called Mike, who does NOT use Truecaller.
John's Truecaller uploads Mike's number to the Truecaller system.
Then, when Mike calls another Truecaller user, Truecaller tells that user "Mike" is calling.
At no point has Mike granted permission for his number to be used by Truecaller.
1) Is this legal under Swedish law?
Data Subjects - Mike - are NOT being provided with any information.
12. What information should be provided to data subjects at the point of collection of the personal data?
The general rule is that a data controller must voluntarily provide information to a data subject at the point of collecting personal data. This information includes:
The name, address, telephone number, company registration number and e-mail address (to the extent applicable) of the data controller.
Information concerning the purpose of the processing.
Any other information necessary for the data subject to be able to exercise his rights in connection with the processing.
This means that the information provided by the data controller must include information about the recipients of the information, and that the data subject is entitled to request information from the data controller concerning the processing and that the data controller is obliged to rectify any information about the data subject that has been erroneously processed.
There are exceptions to a data subject's right to receive information. Information does not need to be provided in relation to matters of which the data subject is already aware. Where the personal data is collected from a third party and not from the data subject himself, it is not necessary to provide information to the data subject if:
It is impossible.
It would involve a disproportionate effort.
SO... I think TC are in breach, because they do not notify the people whose numbers they collect and tag with names. John is aware, but Mike is not, and Mike has not given permission.
Perhaps they suggest that to do is impossible or would require disproportionate effort. So what, they don't have permission, and if they are not willing to seek it (e.g. by sending an SMS saying "your number has been put forward for adding to the Truecaller DB under the name "Girlfriend 3". If you agree, text back YES. If you do not want your number recorded, do nothing. If you want the number listed but under a different name, use our website".
What TC should do (if not willing to get proper consent) is ONLY retain the numbers of TC users. They should scrub the DB of all other names and numbers and stop collecting them in the future.
Do I need to make a formal compliant or does this email suffice to raise the issue?