Ex fleet car sold with active tracker..

[iamdjdz]

So, hypothetically of course:

A fleet car had a tracker installed that was never used but the employee had access to it (and their two colleagues' car locations) at all times. This employee left the business and their car was put up for public sale, then sold. Then the employee logged into the tracker phone app, which auto logged in, without remembering what it was and saw that the tracker was never removed and the new owner has not had the tracker removed so their locations is visible..

Only the ex employee and potentially their two colleagues who also had trackers and their manager would be aware of this. What way should the ex employee proceed in letting anyone know, and is this a GDPR breach?

Asking for a friend of course.

 

[iamdjdz]

Does your "friend" have a copy of the car keys

No, no. In this purely hypothetical situation the friend has recently discovered they still have access to the tracking application, has no other access to anything to do with the car. I think calling the ICO will be a good option.

 

[iamdjdz]

It isn't flippant. He should have removed the app as soon as he left the employ of the company concerned. Their data protection issues are their concern, if you wanted to be helpful then let the company know as it seems that they probably aren't even aware. Calling the ICO is a ridiculous over-reaction.

In this again hypothesis, the ex employee removed the app after having rediscovered it and let his ex employers know. However said ex employee could have been pretty shocked that the main tracking application for his fleet of colleagues had not been switched off when a car was put up for sale, and that they still had access, albeit without basis. Ex employee was more shocked in principle that this was allowed and could have contacted the ICO out of genuine concern.