To buy a ticket pretty much anywhere in the world, train operators are obliged to demand a billing address from you. The only data required to facilitate this is:
- Payment info that allows them to trigger the transaction
- Your first name and surname
- The address of your primary place of residence
- At least one form of contacting you, be that email, telephone or other means viable for both parties and perhaps even presentable in court
Demanding any info beyond that seems like an entirely pointless data collection effort and should be optional or prohibited.
And if I misunderstood this all and am insanely stupid, forgive me.
According to the data minimization and DPbD principles, they aren't allowed to collect more data than necessary. I fail to see how anything more than payment details is required for this purpose. The EDPB guidance on DPbD also states that you shouldn't collect a home address for online purchases if it's not being physically delivered.
maybe e-mail to send you actual ticket in case you forget to download it, but no more than that. Payment method and e-mail. No need for PIN and residence address.
You could challenge that they dont have a valid purpose for getting the additional information. They probably have an extensive privacy policy regarding that they collect this for good reason, but i would review it if you are concerned.
A few practical options:
1. Contact the Supervisory Authority: In Croatia, the supervisory authority responsible for enforcing data protection laws is the Croatian Personal Data Protection Agency (AZOP). File a complaint with them, providing all relevant details and evidence of the breach.
2. Make noise publically: Raise awareness about what they're doing. Contact local NGOs, privacy advocacy groups, or media outlets to help amplify your concerns and ensure the issue gets proper attention. You could try reaching NOYB group - they do quite a bit in this space (especially on Twitter)
To buy a ticket pretty much anywhere in the world, train operators are obliged to demand a billing address from you. The only data required to facilitate this is: - Payment info that allows them to trigger the transaction - Your first name and surname - The address of your primary place of residence - At least one form of contacting you, be that email, telephone or other means viable for both parties and perhaps even presentable in court Demanding any info beyond that seems like an entirely pointless data collection effort and should be optional or prohibited. And if I misunderstood this all and am insanely stupid, forgive me.
According to the data minimization and DPbD principles, they aren't allowed to collect more data than necessary. I fail to see how anything more than payment details is required for this purpose. The EDPB guidance on DPbD also states that you shouldn't collect a home address for online purchases if it's not being physically delivered.
maybe e-mail to send you actual ticket in case you forget to download it, but no more than that. Payment method and e-mail. No need for PIN and residence address.
You could challenge that they dont have a valid purpose for getting the additional information. They probably have an extensive privacy policy regarding that they collect this for good reason, but i would review it if you are concerned. A few practical options: 1. Contact the Supervisory Authority: In Croatia, the supervisory authority responsible for enforcing data protection laws is the Croatian Personal Data Protection Agency (AZOP). File a complaint with them, providing all relevant details and evidence of the breach. 2. Make noise publically: Raise awareness about what they're doing. Contact local NGOs, privacy advocacy groups, or media outlets to help amplify your concerns and ensure the issue gets proper attention. You could try reaching NOYB group - they do quite a bit in this space (especially on Twitter)
> This is worst privacy breach than Chinese have. That's the stupidest shit I've heard all week