Mappin & Webb has been ordered to improve its data access request processes after a customer wasn’t provided with a full copy of their personal data held by the company.
The Office of the Data Protection Authority received a formal complaint from the customer in November 2024 after details of a decision relating to the withdrawal of after-sale services weren’t disclosed in full.
The customer had submitted a data subject access request which data controllers must take reasonable steps to comply with, including thorough searches to ensure no personal data is overlooked.
In its investigation, the ODPA found that the company – part of the Watches of Switzerland Group – had provided incomplete information to the data request, with no reference made to the decision making over the withdrawal of services.
It also found that the firm’s initial search was not extensive enough, with local branch staff or archived material not considered, and a misunderstanding of how much data would need to be provided under the law.
The company later identified additional material relating to the customer and provided this.
The ODPA commended Watches of Switzerland for taking “proactive steps to address our concerns and ensure the final order could be actioned as soon as practicable.
“The Authority commends this action, which demonstrates positive engagement with the regulator and a desire to support data subject rights.”
It added that organisations must ensure internal processes are in place to correctly log and respond to personal data requests from the public.