Data breach at Odido, How to take Control

Customers of Dutch telecom company Odido Netherlands B.V. have been affected by a large-scale data breach. At this stage, the exact scope and long-term consequences are not fully clear. 

Note; even if you ended your subscription up to two years ago, your personal data may still be stored in Odido’s systems. That means former customers could also be affected.

If your data was exposed, risks may include:

• - Identity fraud
• - Phishing or targeted scam attempts
• - Long-term exposure of sensitive personal details

Waiting passively is not a strategy. You need documentation.

How to take control of the situation

Odido provides privacy request forms on their website, but they are not prominently displayed and they do not specifically address the nature or consequences of this breach.

You can find them here: https://www.odido.nl/service/brochures-en-formulieren

Under the header: “Aanvraagformulieren Privacy”

Available forms include:

• - Aanvraag inzage persoonsgegevens Mobiel                                                                            
• - Request for access to personal data Mobile
• - Aanvraag verwijdering persoonsgegevens Mobiel                                                                   
• - Request for deletion of personal data Mobile
• - Aanvraag inzage persoonsgegevens zakelijke eindgebruiker                                                      
• - Request for access to personal data of a business end user
• - Aanvraag verwijdering persoonsgegevens zakelijke eindgebruiker                                 
• - Request for deletion of personal data of a business end user
• - Aanvraag inzage persoonsgegevens Internet + TV                                                              
• - Request for access to personal data, Internet + TV 
• - Aanvraag overdracht persoonsgegevens Internet + TV                                               
• - Request for transfer of personal data, Internet + TV 
• - Aanvraag verwijdering persoonsgegevens Internet + TV                                             
• - Request  for deletion of personal data, Internet + TV

These are standard GDPR request forms (access, deletion, portability). They do not automatically address breach-specific questions. That part is your responsibility.

Step 1 - Request access to your data (Inzageverzoek)

Before asking for deletion, first request full access to all personal data stored about you.

In your email or attached letter, you may request:

• - A complete overview of all personal data processed about you
• - The specific categories of data involved in the breach
• - Whether your data was actually accessed, copied, or exfiltrated
• How long unauthorised access lasted
• - Which systems were affected
• - Which third parties or processors were involved
• - A copy of the notification sent to the Dutch Data Protection Authority
• - In case of you being a former customer; 
• - The legal basis for storing your data after termination of your contract 
• - The exact retention period that applied to your specific data

Be specific. Vague questions get vague answers.

Step 2 - Deletion (Right to be forgotten)

After receiving the access response, you may request deletion of all non-legally required data.

Important: Odido may retain certain financial records for 7 years due to Dutch tax law. That is normal. But they must explain exactly which data falls under that obligation. What is still waiting to be determined is if Odido was compliant with Article 32 of GDPR. Ask for:

• - Written confirmation of deletion
• - Confirmation that deletion applies to all active systems
• - Confirmation that third-party processors have been instructed to delete your data
• - Clarification on backup storage policies

Request written confirmation of deletion in accordance with GDPR.

How to send your request

You can:

1. Fill out the official PDF form(s) and attach an additional letter with your breach-specific questions.
2. OR Send it by (registered) mail (aangetekende brief) to: 

Odido Netherlands B.V.

Postbus 16272

2500 BG

Den Haag

The Netherlands

Sending it registered gives you proof of delivery. Or email your request to: persoonsgegevens@odido.nl If emailing, request a confirmation of receipt.

What to include in your email or letter

To avoid delays, always include:

• - Full name
• - Date of birth
• - Current address
• - Address used during your subscription
• - Former customer number (if known)
• - Phone number(s) linked to the account
• - Email address(es) used
• - Period during which you were a customer

State promptly and clearly: “I request a full response within the statutory period of 30 days.” AVG allows a lengthening of response time for complex cases up to 2 Months.

To Do immediately

Regardless of Odido’s response:

• - Be alert for phishing emails referencing telecom services
• - Do not click links in unexpected SMS messages
• - Be aware of the possibility of scammers calling
• - Keep up with the development of the case online, also to see if any compensation or mass claims will follow. Note that compensation is not a guarantee, and based on proof of individual damage and causality.
• - Consider registering with fraud alert services

Data breaches often lead to secondary fraud months later.

Documentation matters

If serious harm occurs later, documentation proves:

• - That you requested information
• - That you requested deletion
• - Whether Odido responded adequately
• - Whether they complied with GDPR timelines

Without documentation, legal claims become difficult.

Own your data, own yourself.

OONOO