I've spent a lot of time implementing GDPR policies, so I know (and groan) about this subject quite a bit. Your personal data is worth a lot of money for marketing purposes, and they will try all the dirty tricks they can to get it. I don't think that paper on parcels left in a shop are much of a risk, but I can imagine it came about because staff are very used to throwing around people's addresses in the stores. It might be related to the tactics Screwfix use to coerce customers into providing a name and address. Your basic freedoms allow you to purchase something without having to say who you are. But try this in Screwfix. The staff are trained to get it from you, and the computer screens for processing an order prompt them to get your name and address. Every time I've tried it it always results in an argument. Even if you do relent, then every time you pick something up there'll be a loud dialogue where everyone in the shop gets to hear what your address is. All of this is to channel you into signing up for their screwfix card as the perfect solution, so you just flash your card and you get some privacy back in the shop - but you get tracked on line. This isn't accidental, it was carefully planned and a lot of effort went into making sure it was much more inconvenient to just walk in and buy something like you would a newspaper from a shop, and to assimilate you into their marketing machine. These sorts of things started in companies when GDPR kicked in. It wasn't worthwhile to hassle customers at point of sale before as it was more lucrative to trick people into receiving marketing online. After GDPR, which is very weak in terms of consent via verbal interactions, suddenly every point of sale is a personal data harvesting blackspot. "Can I email you a copy of your receipt?" It's the new way of getting your consent for marketing without having to ask you. Re parcels left on van seats. That's not a breach of GDPR.