The request for my data from Turku regional transportation had to be done in person, which is kinda-fine, but it should have been possible online though Suomi.fi messages or on Föli’s site, but nope it is not.
The form I was given when asked to file the information request (per General Data Protection Regulation) was nothing fancy, it just asked to type your name, address, phone number and travel card number (alternatively social security number too). I filled out all the information as I have been using their mobile app which allows for loan top-up of the travel card among other things. The request was filed on 13st of November.
I have received an email from them day before their 30 day(s) processing time has passed to let me know that they won’t be able to meet the time frame required by law to give me the requested information.
They only said that they are waiting on their I.T department to get them a way to transmit the data securely and confidentially. I replied to it to ask if they knew about GPG, but they ignored the question and replied with really nothing relevant to my question.
I have now asked them to provide me the person’s contact information who is responsible for this process as it’s awful. Will need to see how it goes. I’ll update this blog post when I know more.
I have received a reply from them, though a web portal which is not really confidential email, at least in its normal context and the data provided does not include all the requested information as I thought they would ask the travel card number, so they can get me the data saved on it, but apparently that’s not the case. They instead just basically listed the same information they asked me in the form I was given to request it in the first place.
They did not verify my identity with any proper strong authentication, prior to letting me access my data. They only used a PIN that’s sent to your phone number. That’s definitely not an authentication method in this context and much less so strong one, that code can be intercepted at any point in transit as it’s sent in clear-text.
I have now sent a question about this to their director of development, saying about the problems in the process as well asking for my travel card saved data. I would hate to have to ask from Data Protection Ombudsman help with this (Source: https://tietosuoja.fi/en/when-you-want-to-inspect-your-data).