A few days ago I sent a GDPR request to some company to delete my personal data. They said to install their app and send a ticket from the app. The email was sent from the email address to which the account is registered. Is this even legal?
OP send them one more request explaining that under GDPR you are not required to do anything more than request your data be deleted and they must comply. Explain to them that if they don’t do so in a timely manner you will be contacting your country’s data protection office and filing a complaint.
GDPR clearly states you can contact any part of the organisation with your request. You can make your request verbally or in writing and they must acknowledge it. They can’t refuse and make you use their app.
For fun send them a Subject Access Request and if they don’t acknowledge it, report them to the ICO (if you’re in the UK)
Cool clickbait. By censoring the company you are complaining about you are removing any possibility of confirming the story. Why would you do this? you are supposedly mad about the company and thus airing a public grievance, yet what could is a public grievance if no one know the target of your ire? Well it’s useless, so why would you post this? For internet points? Maybe go back to reddit.
The purpose of this post was to find out if what they do is legal. That is, if I have the right to file a complaint. I’m not obliged to tell you the name of the company. I have things to do and I don’t care about “internet points”, as you call them.
You say you don’t “Care about internet points” and you have “things to do” yet you constantly post and comment on AI generated memes. It’s ok if you want to enjoy things online. It’s also ok if you do deeply care about internet points, but don’t outrage farm.
I don’t know, maybe? If they have a process, no matter how laborious and roundabout, they can always claim that they have a process and that you have nothing to complain about, legally speaking. Their wagering that people will not go through all the bullshit, and they’re unfortunately right. That’s literally why they do it. The only correct response is to hound them relentlessly, going to Twitter (or something else idk these days, and I’m not calling it X), the press if necessary, and pestering as many government bodies and officials as you have to in order to make them get their fucking shit together. And then they’ll make your particular situation of priority because now you’re being more of a pain in the ass than actually doing their job is. They won’t change the broken system, because one exception in a thousand isn’t worth it to them to be bothered with.
Tldr, maybe but it probably won’t help you, so make it as big of a headache for them as possible.
In the EU you don’t need to follow their process. Any GDPR request can be made to them through any channel and they must comply. If they don’t, then the next step is to file a complaint with your local data protection office, or the data protection office of the European country where the offending company is represented.
I had a simmilar situation with Nicehash (crypto shit company), but I had 2fa enabled and just wanted to unsubscribe from useless newsletters. They asked for a photo of me holding a paper with my personal information. Still didnt solve that, but some comments here might help, following
How about using a programmer style variables like badCompanyName. You don’t have to be a mathematician. Sure, I can totally appreciate concise names, but some times you have to use longer names to avoid collisions.
There is some arguement to be made that Facebook was kind of good at first. It was useful and it had social impacts that were positive. Over time it became toxic.
Twitter was awful from day one though, mostly because it was bloody useless from day one. Everything that anybody used it for could have been done, and generally was also done, on Facebook, so there was literally no point in the platform.
I had this before, though not through a direct communication. Someone had gotten my email credentials somehow and installed a company’s app and made an account. When I went through the support pages on the company’s site to find out how to delete the account the only listed way was through the app itself.
They were accommodating and helpful when I emailed the company about it though. I just told them that I can’t agree to the privacy policy and thus cannot install the app but still need the account to be deleted. They did it.
Being friendly doesn’t negate the fact that they are out of compliance with the law. Even sending a second email to insist they delete your data is an undue burden.
You’re right, but sometimes a bit of undue courtesy repays in dividends. Not every minor infraction is nefarious and not every minor infraction deserves reporting. A simple courteous reminder of their obligations may save both parties some undue hassle.
I can imagine this company doing this to ensure only authenticated users can have their data removed. There are other ways…but this was probably what they considered reasonable and painless for all, admittedly they (wrongly) didn’t consider the audience of this community in that decision.
According to my training when I was handling my workplace’s GDPR request email companies have 30 days to respond. Meaning they could simply have a bot respond to all incoming emails on day 29 and say “we’re reviewing your request” and be in compliance for a while longer
Remember that you're talking to some poorly paid person that has to deal with unhappy people all day and probably doesn't even agree with these policies. This is no different than being in a restaurant - don't be rude to service people. Be polite, but firm. You can express that you're unhappy and that this isn't acceptable in a way that doesn't come off as berating some first level service drone.
That’s really not cool that you’re upfront about your assumptions. I’m moving from Gmail to another mail provider and, in the process, deleting accounts I don’t use. Please don’t assume in advance something you have no idea about.
I was in the same situation as you a year ago. Deleted my Google and Microsoft accounts. Would you mind sharing what new services you have settled with?
For some critical services (such as banks, hosting providers, etc.) I use ProtonMail. For the rest of the stuff, I have my own email server hosted at my home set up with a VPN tunnel to OVH (data is kept on a server at my home, but the server is publicly available from the Internet thanks to a cheap VPS from OVH). The most private is what you have full control over.
With this solution, I have full control over my data.
Wow that’s pretty advanced. I always thought about hostim my own email server but then people reminded me that I might get blocked or classiefied as spam so it didn’t seem worth the effort. I don’t use email that often anyways.
Can you write an official letter for removal of my private data for (company name) and (my name). Use a strong tone and legalese langage. Make sure you verify the timeframe they must respond (act with 30 days of this letter) and any other specific to make sure they know what my rights are and that I am serious. List the typical types of data they might have on me. And write in a 1800L lexile scale.
It would be complete bullshit, but clearly the people on the other end would be too stupid to recognize it as such. So there's really no reason not to do it as long as you're aware that it's an empty threat.
I think you could achieve the same without bullshitting by simply saying "Please delete my data within 30 days or I will report you to the relevant authorities", but each to their own.
It doesn't matter since none is needed for this. I understand that the goal is to add filler with intimidating legalese, but I doubt that customer "support" is going to react as they expect.
You can ask the text without name and write it after… I mean really? Search on hugging face for free LLM (that’s the kind of ai of chat gpt) and try it for free without registration there is that’s suuuch a thing
Subject: Formal Request for Immediate Erasure of Personal Data
Dear [Recipient Name],
I am writing to formally request the immediate erasure of all personal data pertaining to myself, [Your Name], from your systems in accordance with Article 17 of the General Data Protection Regulation (GDPR). This entails the deletion of my data from your databases and any other processing systems within your organization.
The categories of data I am referring to include, but are not limited to:
Personal identification information (name, address, email, phone number)
Professional data (job title, employer, professional contacts)
Financial data (bank account details, transaction history)
Technical data (IP addresses, cookie data, browsing history)
Any other category of data related to me.
You are hereby instructed to ensure this erasure without undue delay and, in any event, within thirty (30) days of receipt of this letter. Failure to comply within this timeframe will compel me to take further legal action to enforce my rights under the GDPR.
I further request that you provide written confirmation upon successful deletion of my data, indicating that no personal data pertaining to me remains in your possession, custody or control.
In the event that you require any additional information to comply with this request, you may contact me via email or phone, as provided above.
Thank you for your prompt attention to this serious matter.
Sincerely,
[Your Signature (if sending a hard copy)] [Your Name (printed)]
SPF/DKIM/DMARC does not prevent sending the spoofed message, though. It is up to the recipient system to filter out the message should the checks fail. Even then, the message often lands into spam instead of being dropped.
Anyway they should configure their systems to reject unsigned e-mails and providers that don’t have a proper SPF configuration. SPF (Sender Policy Framework) allows you to make sure that the message was sent by an approved server and was not forged by some hackur.
That is especially true with large organizations where multiple non-technical teams are ordering/configuring products that send email.
Unfortunately it is difficult to solve, unless services stop allowing sending without verifying and forcing proper configuration. That would drive sales to competitors who do not enforce this, though.
They literally replied to his registered email and he has the reply. That would indicate that he has at least access to the account. So with OP’s next email quoting the reply ownership over the associated email address should be reasonably established.
If you can read emails sent to a given address, and send replies from that address, it basically is your email address for all practical purposes no matter who was meant to be using the account. This is not necessarily a good thing and better end-to-end security would be nice but it is what it is. Odds are the app itself would let anyone change the password and log in provided they can read the emails, unless it’s using some form of 2FA.
Add comment