Car rental manager fined after unlawfully obtaining customer data
16 May 2024
A former Management Trainee at Enterprise Rent-A-Car UK Limited (“Enterprise Rent-A-Car”) has been ordered to pay a fine after admitting he illegally obtained customer data between 18 March 2019 and 1 April 2019.
Initial concerns were raised after Shairaz Saleem, 42, visited his workplace in West Yorkshire outside of his scheduled hours on Sunday 31 March 2019. An internal audit found he’d spent 32 minutes accessing 39 records of customer data in relation to 25 different rental branches.
Following this, Enterprise Rent-A-Car conducted an internal investigation which found Saleem had accessed a number of records containing personal data during the offending period in 2019. He was dismissed for gross misconduct shortly thereafter. The number of records considered to have been unlawfully accessed was at least 213.
The company did not consent to Saleem obtaining this data, stating that accessing this information fell outside of his role and there was no business need for him to do so.
Enterprise Rent-A-Car referred the case to the Information Commissioner’s Office, who launched a criminal investigation into Saleem.
Saleem appeared at Huddersfield Magistrates’ Court on Monday 13 May where he pleaded guilty to unlawfully obtaining data contrary to section 170 DPA 2018. He was ordered to pay a fine of £265, costs of £450 and a victim surcharge of £32.
Head of Investigations Andy Curry said
“Just because your job may give you access to other people’s personal information, it doesn’t mean you have the legal right to look at it whenever you like.
“This is an invasion of customer privacy by Saleem, who abused the trust that his employer placed in him, and which had the potential to jeopardise the broader company reputation.
“Unfortunately, these incidents cannot always be avoided due to some people having malign intent. Organisations can, however, put measures in place to mitigate occurrences by, as Enterprise Rent-A-Car did, having internal audit arrangements in place and ensuring staff are educated about data protection and information governance responsibilities, and how to handle people’s data responsibly.
Those looking for more information can also visit our website.”