Security check.....really?

[magirus]

It’s fine with me I don’t care what you do ,as I said the best thing to do is exercise your right and purchase somewhere else . My comment was focusing on the level of intensity of opinion about something that you didn’t even comply with . Then come on and galvanise opinions about a business that will then turn away potential customers ... for what end ?

I am not looking for an argument I just don’t understand what drives such aggressively pitched comments over nothing really . If it was your business would you appreciate a quiet constructive comment or a forum based bashing ...? Are times not hard enough for retailers without the public bashing of a policy you don’t happen to agree with .

Just saying ....

Just wait until you gain access to the Bear Pit. This thread is quite genteel by comparison.

[paskinner]

It’s a boring wet Saturday in a difficult time for everyone. So a row on TZ might help pass some time....(sad isn’t it!). But there is a point here; how should customers on line be treated? Many of us distrust sending copies of private documents to total strangers. In this case, the retailer solicited business , and confirmed an agreement to purchase, without making any mention of anti-fraud requirements. It was only when the order had been confirmed, and credit card details , and address, provided, that these extra demands were suddenly made.
When I, politely, queried this, I was told it was a standard requirement . So why hadn’t it been mentioned ? And why do WOS think they have the right to copies of private documents which could be misused?

[Simons194]

It’s a boring wet Saturday in a difficult time for everyone. So a row on TZ might help pass some time....(sad isn’t it!). But there is a point here; how should customers on line be treated? Many of us distrust sending copies of private documents to total strangers. In this case, the retailer solicited business , and confirmed an agreement to purchase, without making any mention of anti-fraud requirements. It was only when the order had been confirmed, and credit card details , and address, provided, that these extra demands were suddenly made.
When I, politely, queried this, I was told it was a standard requirement . So why hadn’t it been mentioned ? And why do WOS think they have the right to copies of private documents which could be misused?

It’s a tough time indeed and I agree it’s a poor process that clearly wasn’t explained too well at the start of the transaction . As always the devil is in the detail and I suspect that you must have at some point agreed contact from WOS and their GDPR policy would have confirmed how they contacted you in the future ? That probably included updating you with relevant offers .

I agree it’s annoying to then find you have to send data your not happy sending , but I think the sentiment of trying to establish who is using the card details is not wrong . Having been at the other end of a very clever card fraud it’s a real problem and the real card holder in my case went through hell to prove it wasn’t them ....

[Rob153]

Retailers are definitely having to up their game with the amount of fraud going on, like i said in a previous post, simple phone call from them would have been much better...’due to the value of the watch sir could you possibly bring with you some ID when you pick it up, extra security features we have implemented to protect us against fraud’

Stating the obvious and sounding old fashioned but emails/messages can be sometimes misconstrued, an old fashioned phone call can work wonders when dealing with people, just think it’s the way WOS has dealt with the request that’s at fault.

[Saint-Just]

Retailers are definitely having to up their game with the amount of fraud going on, like i said in a previous post, simple phone call from them would have been much better...’due to the value of the watch sir could you possibly bring with you some ID when you pick it up, just extra security features we have implemented to protect us against fraud’

Stating the obvious and sounding old fashioned but emails/messages can be sometimes misconstrued, an old fashioned phone call can work wonders when dealing with people, just think it’s the way WOS has dealt with the request that’s at fault.

I think the point was that the retailer wanted those details by email and would not even forward the watch to a local distributor.
I have no doubt the initial contact was made according to a compliant GDPR policy. I would be extremely surprised if their email system could still be compliant as it would involve very restricted (and documented) access and storage.

[paskinner]

A simple test. How many TZ members would be happy to have a commercial jewellers possess photos of themselves with private security documents (passport or driving licence). How can you know what might happen to them? Who guarantees their safety? And what happens if they get misused.
Maybe I’m over-suspicious, but it worries me.

[ALindsay]

On a similar theme. Last week when I logged onto a savings account (on-line only) a msg. popped up saying that to comply with gov. regs. I should send a screenshot of the bank account details where the investment money came from. Also, asked if I am currently employed! Needless to say I ignored the request and it never appeared again on subsequent log-ins. Makes you wonder doesn’t it?


Sent from my iPhone using TZ-UK mobile app

[robert75]

It’s a boring wet Saturday in a difficult time for everyone. So a row on TZ might help pass some time....(sad isn’t it!). But there is a point here; how should customers on line be treated? Many of us distrust sending copies of private documents to total strangers. In this case, the retailer solicited business , and confirmed an agreement to purchase, without making any mention of anti-fraud requirements. It was only when the order had been confirmed, and credit card details , and address, provided, that these extra demands were suddenly made.
When I, politely, queried this, I was told it was a standard requirement . So why hadn’t it been mentioned ? And why do WOS think they have the right to copies of private documents which could be misused?

Think PayPal a while back asked for a copy of driving licence or passport as part of “anti fraud” so the same can be asked about them.

Strange though we are happy to provide these details to random mobile phone companies even our fingerprints.

[Saint-Just]

Think PayPal a while back asked for a copy of driving licence or passport as part of “anti fraud” so the same can be asked about them.

Strange though we are happy to provide these details to random mobile phone companies even our fingerprints.

Paypal has to meet banking levels of encryption and data security. The penalty is not only from GDPR authorities, I am sure you've seen the adverts for a class action against BA...
As to phone companies, I do not believe they have my passport. I can register whoever I want (up to 5 people) for fingerprint access to my phone, and I do not believe the data actually leaves the phone; if it does, though, I believe it would be encrypted.

[Mick P]

A simple test. How many TZ members would be happy to have a commercial jewellers possess photos of themselves with private security documents (passport or driving licence). How can you know what might happen to them? Who guarantees their safety? And what happens if they get misused.
Maybe I’m over-suspicious, but it worries me.

It wouldn't worry me but I would just refuse to trade with them. They will only do it if they can. If enough people say no, they will cease the practice.

[MrGrumpy]

A simple test. How many TZ members would be happy to have a commercial jewellers possess photos of themselves with private security documents (passport or driving licence). How can you know what might happen to them? Who guarantees their safety? And what happens if they get misused.
Maybe I’m over-suspicious, but it worries me.

I think this is a very valid point. The seller may be concerned that the buyer could be doing some sort of fraud, but as buyers, how do we know that the seller isn't a fraud, or that we've not stumbled onto some fake copy-cat site or something? When we hear about the avalanche of scams going around these days, the message from authorities is very clear - don't disclose your personal data to anyone you aren't 110% sure of, as any personal info is valuable to fraudsters for ID theft etc. So I'd be very wary of sending a picture of my ID (containing my address, DoB etc) off to some person who may or may not be who they say they are.

[Alansmithee]

Strange though we are happy to provide these details to random mobile phone companies even our fingerprints.

Without getting too technical - you don't - your fingerprints never leave the phone (and yes this has been independently audited) and apple have no idea what your fingerprint looks like.

[Rob153]

I think the point was that the retailer wanted those details by email and would not even forward the watch to a local distributor.
I have no doubt the initial contact was made according to a compliant GDPR policy. I would be extremely surprised if their email system could still be compliant as it would involve very restricted (and documented) access and storage.

Fair enough, I must of misunderstood- Then 99.9 % they have/are not acting in accordance with GDPR compliance requesting ID, have had dealings with GDPR, had to try and help a company I worked for become FCA compliant, absolute can of worms.

[Saint-Just]

Fair enough, I must of misunderstood- Then 99.9 % they have/are not acting in accordance with GDPR compliance requesting ID, have had dealings with GDPR, had to try and help a company I worked for become FCA compliant, absolute can of worms.

I completely agree, it is extremely complicated and I find it highly unlikely that a retailer like WoS would go through the processes required. So while the concern they have is acknowledged, the means they have to address it are illegal and it should be pointed out to them, rather than the "ignore and shop somewhere else" attitude that some seem to suggest.

[markyboy.1967]

I was on the understanding that part of GDPR compliance was that the info companies gained was to be the bare minimum and not request info which isn’t required for the product. Say a distillers selling drink then they can take your name , age etc. Your addy would be used to send the purchased items so that is required but I don’t see how photo ID meets any necessary criteria but I’m no expert so I may be wrong.

[Umbongo]

Just ordered, for the first time, a watch from Watches of Switzerland. Omega Speedmaster ....the new model.
Just got an e-mail from them saying I am ‘required’ to send them a picture of myself holding a driving licence or passport. What sort of absurdity is this? I’m paying with my credit card, my address is easily checked.
Anyone else been treated like this? I’m not going to co-operate. If they can’t treat me with civility, I will shop elsewhere.

So now Omega customers are being treated as disrespectfully as rolex customers? Whatever next??

[wileeeeeey]

So now Omega customers are being treated as disrespectfully as rolex customers? Whatever next??

Hublot customers.

[Umbongo]

Hublot customers.

Is owning a Hublot not punishment enough??!

[RobDad]

I took my car in for a service last week amd had a brief chat with the Manager about how odd it must be trying to sell cars online without a test drive or any of the usual niceties. He said a few people were happy to do it but agreed it’s a bit odd. I wonder if I bought a new car from them online they’d ask for a photo of me holding ID? If they did I’d politely refuse. As far as being careful with ID/GDPR a shop is a shop as far as I’m concerned - and would you provide a photo of you with your ID to the counter staff at Lidl!!?


Sent from my iPhone using Tapatalk

[MrGrumpy]

Is owning a Hublot not punishment enough??!

Owning a Hublot is its own punishment! Let alone wearing it.......

[abraxas]

It will be DNA next. Welcome to the new normal.

[M1011]

There's a lot of misinformation and fist shaking going on in this thread.

The retailer wants to make the sale, they don't want to create barriers. So if they're asking for ID for fraud purposes, then evidently they must be suffering from fraud.

The consumer has every right to refuse if they aren't comfortable with the request, as has happened here.

The shop doesn't have to sell to you. You don't have to buy from the shop. Balance has been maintained. Life goes on.

[Saint-Just]

There's a lot of misinformation and fist shaking going on in this thread.

The retailer wants to make the sale, they don't want to create barriers. So if they're asking for ID for fraud purposes, then evidently they must be suffering from fraud.

The consumer has every right to refuse if they aren't comfortable with the request, as has happened here.

The shop doesn't have to sell to you. You don't have to buy from the shop. Balance has been maintained. Life goes on.

You don't understand: the request by the shop is abusive. The OP could send his ID as requested, and raise hell about GDPR that could result in fines that could close the business.

[Omegamanic]

I was on the understanding that part of GDPR compliance was that the info companies gained was to be the bare minimum and not request info which isn’t required for the product. Say a distillers selling drink then they can take your name , age etc. Your addy would be used to send the purchased items so that is required but I don’t see how photo ID meets any necessary criteria but I’m no expert so I may be wrong.

If your GDPR, or AML compliant policies state that you should obtain photo ID for amounts of more than £5k, then any other criteria falls away. GDPR is to stop others/corporates from using your data in a way that you wouldn’t want. It does not stop or make any legitimate business use obsolete. You could in effect provide your details, carry out a transaction and then invoke your right to be forgotten, but if the data was collected for AML then it would override GDPR.

[Omegamanic]

There's a lot of misinformation and fist shaking going on in this thread.

The retailer wants to make the sale, they don't want to create barriers. So if they're asking for ID for fraud purposes, then evidently they must be suffering from fraud.

The consumer has every right to refuse if they aren't comfortable with the request, as has happened here.

The shop doesn't have to sell to you. You don't have to buy from the shop. Balance has been maintained. Life goes on.

They are likely finding getting insurance a lot more difficult. All my clients have had substantial increases in deductibles in recent years, and some more exclusions. One of the main pushes has been in the areas of online or phone transaction, and fraud prevention measures - to the extent that most requested details of the processes and a copy of procedures.

[RAJEN]

There's a lot of misinformation and fist shaking going on in this thread.

The retailer wants to make the sale, they don't want to create barriers. So if they're asking for ID for fraud purposes, then evidently they must be suffering from fraud.

The consumer has every right to refuse if they aren't comfortable with the request, as has happened here.

The shop doesn't have to sell to you. You don't have to buy from the shop. Balance has been maintained. Life goes on.

Agree 100%
A totally voluntary situation blown out of proportion GDPR or not.
People complaining/ hyperventilating about ADs etc seem to forget an essential fact- they are free to walk away if the scenario is not to their liking. That is what grown ups do.

[paskinner]

Agree 100%
A totally voluntary situation blown out of proportion GDPR or not.
People complaining/ hyperventilating about ADs etc seem to forget an essential fact- they are free to walk away if the scenario is not to their liking. That is what grown ups do.

Grown-ups might also think that the retailers behaviour is wrong, and publicise that fact. WOS never said a word about all this until they’d got my business and confirmed the order. How is that a ‘totally voluntary situation.’I was told nothing about this until I’d confirmed the order.

[Simons194]

Agree 100%
A totally voluntary situation blown out of proportion GDPR or not.
People complaining/ hyperventilating about ADs etc seem to forget an essential fact- they are free to walk away if the scenario is not to their liking. That is what grown ups do.

Agreed 👍🏻

[Simons194]

Grown-ups might also think that the retailers behaviour is wrong, and publicise that fact. WOS never said a word about all this until they’d got my business and confirmed the order. How is that a ‘totally voluntary situation.’

There's a lot of misinformation and fist shaking going on in this thread.

The retailer wants to make the sale, they don't want to create barriers. So if they're asking for ID for fraud purposes, then evidently they must be suffering from fraud.

The consumer has every right to refuse if they aren't comfortable with the request, as has happened here.

The shop doesn't have to sell to you. You don't have to buy from the shop. Balance has been maintained. Life goes on.

A sensible and balanced approach ..👍🏻

[Saint-Just]

If your GDPR, or AML compliant policies state that you should obtain photo ID for amounts of more than £5k, then any other criteria falls away. GDPR is to stop others/corporates from using your data in a way that you wouldn’t want. It does not stop or make any legitimate business use obsolete. You could in effect provide your details, carry out a transaction and then invoke your right to be forgotten, but if the data was collected for AML then it would override GDPR.

That is factually incorrect.
AML doesn't override GDPR (nor the other way round)
If AML requires photo ID then photo ID has to be submitted. However, GDPR impose strict conditions as to encryption, storage and access to those details. Those obligations MUST be met. Even if the information is actively destroyed immediately after the checks, the process of receiving the email must be extremely rigourous, and they need to be able to document that to customers before they have to send the ID.

[Templogin]

If they had a public PGP key you could at least encrypt it so that only they could open it. Watermarking the image before the encryption process with the seller logo would be a good idea too, but there are still gaping holes. I would want written confirmation of when the image was deleted from their servers and backups and confirmation of when it had taken place. They wouldn't do that so I would also be waiting for the shop to open.

[Simons194]

That is factually incorrect.
AML doesn't override GDPR (nor the other way round)
If AML requires photo ID then photo ID has to be submitted. However, GDPR impose strict conditions as to encryption, storage and access to those details. Those obligations MUST be met. Even if the information is actively destroyed immediately after the checks, the process of receiving the email must be extremely rigourous, and they need to be able to document that to customers before they have to send the ID.

Correct I deal with this daily , the main issue is setting and agreeing the correct permissions at the onset .

[Lawbreaker5000]

I am with the OP.

I would be annoyed if they rang myself to purchase a watch then later requested photo”s of myself holding ID after I agreed to go ahead with a purchase.

I also would cancel the order.

[GMC41]

That is factually incorrect.
AML doesn't override GDPR (nor the other way round)
If AML requires photo ID then photo ID has to be submitted. However, GDPR impose strict conditions as to encryption, storage and access to those details. Those obligations MUST be met. Even if the information is actively destroyed immediately after the checks, the process of receiving the email must be extremely rigourous, and they need to be able to document that to customers before they have to send the ID.

He’s correct re: the right to be forgotten. If the records are obtained for AML purposes, record keeping requirements under the ML regs override the “right to be forgotten”.

[Omegamanic]

That is factually incorrect.
AML doesn't override GDPR (nor the other way round)
If AML requires photo ID then photo ID has to be submitted. However, GDPR impose strict conditions as to encryption, storage and access to those details. Those obligations MUST be met. Even if the information is actively destroyed immediately after the checks, the process of receiving the email must be extremely rigourous, and they need to be able to document that to customers before they have to send the ID.

What’s factually incorrect, unless we are playing semantics for the sake of it?

You can argue that it falls under Legal Obligation, and I would agree, but we are discussing a company’s own internal policies and procedures, rather than strict obligations under AML Codes. I was also not commenting on the security of data, whether storage or transmission.

GDPR:
The six lawful bases for processing are:

• Consent
• Contract
• Legal obligation
• Vital interest
• Public task
• Legitimate interests

[Saint-Just]

He’s correct re: the right to be forgotten. If the records are obtained for AML purposes, record keeping requirements under the ML regs override the “right to be forgotten”.

Note that I said "even if the information is destroyed immediately", which implies that it may not be the case depending on requirements. In any case when it is not destroyed it must be kept safe at an extremely high standard, with each consultation recorded. It's an impossibly difficult standard to achieve...

[robert75]

Agree 100%
A totally voluntary situation blown out of proportion GDPR or not.
People complaining/ hyperventilating about ADs etc seem to forget an essential fact- they are free to walk away if the scenario is not to their liking. That is what grown ups do.

Precisely this, file under first world problems.

[Saint-Just]

What’s factually incorrect, unless we are playing semantics for the sake of it?

You can argue that it falls under Legal Obligation, and I would agree, but we are discussing a company’s own internal policies and procedures, rather than strict obligations under AML Codes. I was also not commenting on the security of data, whether storage or transmission.

GDPR:
The six lawful bases for processing are:

• Consent
• Contract
• Legal obligation
• Vital interest
• Public task
• Legitimate interests

I am not denigrating them the right to request the info. I doubt they have the right internal procedures to treat that info in compliance with GDPR

[GMC41]

Note that I said "even if the information is destroyed immediately", which implies that it may not be the case depending on requirements. In any case when it is not destroyed it must be kept safe at an extremely high standard, with each consultation recorded. It's an impossibly difficult standard to achieve...

He referred to the AML regs overriding GDPR in the case of right to be forgotten. You responded saying that AML rules don’t override GDPR; however in this case they do so I corrected you.

I don’t think anyone’s disputing your next point are they? However it’s not an impossible standard to achieve as the whole regulated sector has to do it.

[Saint-Just]

However it’s not an impossible standard to achieve as the whole regulated sector has to do it.

This is true. But the standards were already very high for them before GDPR, whereas for non regulated company the step is massive.

[Omegamanic]

I am not denigrating them the right to request the info. I doubt they have the right internal procedures to treat that info in compliance with GDPR

They may or may not. I don’t work with/for any jewellers, so have no idea how they comply - but as they’ve had to comply with both AML and data protection for many years, I’m sure they must have something in place (whether that meets current requirements in full is another matter), especially being one of the larger groups and having contracts in place with some pretty pay big players.

[Omegamanic]

This is true. But the standards were already very high for them before GDPR, whereas for non regulated company the step is massive.

Agreed - I see some fallout, or deregistering of businesses, on an almost weekly basis as the compliance costs are too high.

[M1011]

You don't understand: the request by the shop is abusive. The OP could send his ID as requested, and raise hell about GDPR that could result in fines that could close the business.

Respectfully, you're not suitably informed of my experience on the topic to dictate whether or not I understand.

As for GDPR compliance, we simply don't have any of the detail. Unless I've missed it somewhere, we don't even know the method by which the photos were going to be shared. We have no idea how they were going to be processed and stored, or what information has been provided to the customer. I can categorically say it is possible to collect photos of customer ID and be GDPR compliant if done properly, so I see no reason to presume guilt in the absence of any actual facts.

Anyway, I'm not going to get drawn into a debate on hypotheticals when there's clearly emotional views on display in the thread. The customer opted to walk away, problem solved.

[AP1]

I appreciate all the GDPR concerns and I agree with most of them, I even made a comment earlier in the thread that was younger in cheek but in hindsight a bit naive. I see this from both sides and appreciate the shop’s position as fraudsters are using tricks like the one outlined in this video. The retailers are stuck between a rock and a hard place if the banks use their Teflon shoulders in cases like this...
https://youtu.be/m9moddkjeF0

[Halitosis]

Perhaps I'm a little too easy-going, but I'd have provided the requested photo with little thought. I doubt a photo of a person holding a driving licence has much use - the details on the licence are almost certainly illegible so the photo means nothing. I can fully understand a retailer wanting to know what a customer looks like if they're popping out to the pavement to hand over a bag of valuables.
Anyway - horses for courses I guess.

[MartynJC (UK)]

Perhaps I'm a little too easy-going, but I'd have provided the requested photo with little thought. I doubt a photo of a person holding a driving licence has much use - the details on the licence are almost certainly illegible so the photo means nothing. I can fully understand a retailer wanting to know what a customer looks like if they're popping out to the pavement to hand over a bag of valuables.
Anyway - horses for courses I guess.

Maybe DHL / UPS should start doing the same thing - oh hang on they leave your delivery on the doorstep... The retailer does not deliver the item - so this photo ID is of no benefit / use at all - as far as I can see. (Seeing as WoS does delivery as well as Click/collect)

[theancientmariner]

Mine is to shop elsewhere. Where I won’t be expected to prove I’m not a criminal.

that's exactly the point. How does anyone know whether you're a criminal or not? I couldn't say one way or the other and if I worked for WoS you could easily hand me your card details and your address and I still wouldn't know whether you're a criminal or not. I could process the card payment, send the watch to the address that you've given me and think all is fine. Then a week later, you've disappeared with the watch and the credit card company are rescinding the payment . By asking for an extra level of identification, it's helping prevent fraud against the retailer.

I don't have an issue with you not wanting to do this and either using a different retailer who are prepared to take more of a risk with their customers, or doing a click and collect purchase or even waiting until the stores reopen. What I take issue with is the negativity against a retailer who chooses to do this. Everyone seems to be quite happy to hand over their card details and their address but not a photo of a driving licence or passport to a retailer who will almost certainly hold those photos securely up until a point where they don't need them any more and then they will be deleted. It's everyones choice to make individually and I wouldn't have a problem at all with doing it but why be offended?

[theancientmariner]

Maybe DHL / UPS should start doing the same thing - oh hang on they leave your delivery on the doorstep... The retailer does not deliver the item - so this photo ID is of no benefit / use at all - as far as I can see. (Seeing as WoS does delivery as well as Click/collect)

DHL are supposed to take a photo for every drop off they do as evidence it has been delivered to that address. Under their t&c's it doesn't have to be delivered to a specific person, just the address. However, that's got nothing at all to do with WoS asking for extra id to prevent fraud.

[Saint-Just]

The first verification available is the address for delivery is the same as that where the card is registered.
But that’s not really the issue.
Provided the two addresses match, WoS could send the watch to an AD local to the buyer, and require the shop to satisfy themselves as to his ID. I have no problem showing my passport in Boots when I collect my prescription.

[Halitosis]

Perhaps I'm a little too easy-going, but I'd have provided the requested photo with little thought. I doubt a photo of a person holding a driving licence has much use - the details on the licence are almost certainly illegible so the photo means nothing. I can fully understand a retailer wanting to know what a customer looks like if they're popping out to the pavement to hand over a bag of valuables.
Anyway - horses for courses I guess.

Maybe DHL / UPS should start doing the same thing - oh hang on they leave your delivery on the doorstep... The retailer does not deliver the item - so this photo ID is of no benefit / use at all - as far as I can see. (Seeing as WoS does delivery as well as Click/collect)

Fair point and by the time I had read through the thread I'd forgotten the OP had stated it was to be delivered. I had collection in mind - that these days equates to handing over a bag in the street outside the shop to a stranger wearing a facemask while trying to maintain a 2m distance. Come to think about it perhaps I should wander around New Bond Street trying to express an air of expectation with my eyes ready to receive a package It must be a high end jeweller's nightmare!