A few days ago I sent a GDPR request to some company to delete my personal data. They said to install their app and send a ticket from the app. The email was sent from the email address to which the account is registered. Is this even legal?
No, it’s not at all legal for the company to do this. Reply and remind them they have one calendar month to comply from the date of your original request, otherwise you will make a complaint to which ever information regulator is correct for the juridiction they’re operating in.
I’m a lawyer specialising in Data Privacy, reply here if you need more help on this one.
My first thought was “they probably want to ensure they are who they say they are and so want an authenticated request” - while that’s against GDPR, not everyone is as educated as they should be, and not every mistake is a nefarious activity.
There’s no reason an app should be more trustworthy than the email.
It’s pretty standard for scummy companies to make the process as annoying as possible.
The individual responding isn’t the issue. They haven’t made any decision to respond like this, they are following a script.
The script is written by people who should know exactly what they are doing, so the result is either malice or negligence. Either way it’s unacceptable where the law is concerned.
Think of the poor corporation! If they get punished for their illegal buisness practices, it’ll hurt the economy and people will be less inclined to start a small buisness. Didn’t you study piss down economics?
“WHAT ABOUT THE TRUE VICTIMS HERE! WHY DOESN’T ANYONE CARE ABOUT THOSE HARDWORKING, SALT-OF-THE-EARTH SHAREHOLDERS! ARE YOU PEOPLE FUCKING COMMUNISTS?!”
Or maybe they just want to disclose as little of their personal information, including services relied on, on an open platform like this. Idk if that’s the case, but playing devil’s advocate here
Why should they not? They posted an inquiry, looking for advice. That is their reason for posting.
They do not owe personal information beyond what is required to answer the question. And typically, with regards to anything resembling a legal matter, the less information posted publicly, the better.
That reminds me, I might have to put in a formal complaint for a somewhat similar matter.
Bought concert cards years ago, and was never able to unsubsribe from the newsletter. I sent requests to every mail address I could find, and never even got a response. Still got newsletters every now and then though.
They also just make it unnecessarily hard to contact them, so at this point I’m not sure my messages even reached them, which hopefully is what explains their failure to comply.
Genuine question: Aren’t you supposed to say “this is not legal advice?” if you identify yourself as a lawyer but you’re not their legal council? Or am I mistaken?
The purpose of that disclaimer is for the lawyer to not expose themselves to malpractice lawsuits from OP, which seems VERY unlikely to be relevant here
eBay does this too. They told me they can't access my data to delete it, that I have to log in with their website or app and send information to just get my data, let alone have it deleted.
Doubtful - I leave my account for years at a time between logins, and it’s still active (have had the account since 2002 or so, and have had at least a 10 year span without any use).
Simply ask for the official company name, registration number and country as well as the prereree means of communication that they would like your local data authorities to contact them on.
Also make a 1 star review, stating that you are in talks with your local gdpr authorities about their way of handling privacy.
This worked for me last time a company asked me to download an app to delete my account
SPF/DKIM/DMARC does not prevent sending the spoofed message, though. It is up to the recipient system to filter out the message should the checks fail. Even then, the message often lands into spam instead of being dropped.
Anyway they should configure their systems to reject unsigned e-mails and providers that don’t have a proper SPF configuration. SPF (Sender Policy Framework) allows you to make sure that the message was sent by an approved server and was not forged by some hackur.
That is especially true with large organizations where multiple non-technical teams are ordering/configuring products that send email.
Unfortunately it is difficult to solve, unless services stop allowing sending without verifying and forcing proper configuration. That would drive sales to competitors who do not enforce this, though.
They literally replied to his registered email and he has the reply. That would indicate that he has at least access to the account. So with OP’s next email quoting the reply ownership over the associated email address should be reasonably established.
If you can read emails sent to a given address, and send replies from that address, it basically is your email address for all practical purposes no matter who was meant to be using the account. This is not necessarily a good thing and better end-to-end security would be nice but it is what it is. Odds are the app itself would let anyone change the password and log in provided they can read the emails, unless it’s using some form of 2FA.
Can you write an official letter for removal of my private data for (company name) and (my name). Use a strong tone and legalese langage. Make sure you verify the timeframe they must respond (act with 30 days of this letter) and any other specific to make sure they know what my rights are and that I am serious. List the typical types of data they might have on me. And write in a 1800L lexile scale.
It would be complete bullshit, but clearly the people on the other end would be too stupid to recognize it as such. So there's really no reason not to do it as long as you're aware that it's an empty threat.
I think you could achieve the same without bullshitting by simply saying "Please delete my data within 30 days or I will report you to the relevant authorities", but each to their own.
It doesn't matter since none is needed for this. I understand that the goal is to add filler with intimidating legalese, but I doubt that customer "support" is going to react as they expect.
You can ask the text without name and write it after… I mean really? Search on hugging face for free LLM (that’s the kind of ai of chat gpt) and try it for free without registration there is that’s suuuch a thing
Subject: Formal Request for Immediate Erasure of Personal Data
Dear [Recipient Name],
I am writing to formally request the immediate erasure of all personal data pertaining to myself, [Your Name], from your systems in accordance with Article 17 of the General Data Protection Regulation (GDPR). This entails the deletion of my data from your databases and any other processing systems within your organization.
The categories of data I am referring to include, but are not limited to:
Personal identification information (name, address, email, phone number)
Professional data (job title, employer, professional contacts)
Financial data (bank account details, transaction history)
Technical data (IP addresses, cookie data, browsing history)
Any other category of data related to me.
You are hereby instructed to ensure this erasure without undue delay and, in any event, within thirty (30) days of receipt of this letter. Failure to comply within this timeframe will compel me to take further legal action to enforce my rights under the GDPR.
I further request that you provide written confirmation upon successful deletion of my data, indicating that no personal data pertaining to me remains in your possession, custody or control.
In the event that you require any additional information to comply with this request, you may contact me via email or phone, as provided above.
Thank you for your prompt attention to this serious matter.
Sincerely,
[Your Signature (if sending a hard copy)] [Your Name (printed)]
That’s really not cool that you’re upfront about your assumptions. I’m moving from Gmail to another mail provider and, in the process, deleting accounts I don’t use. Please don’t assume in advance something you have no idea about.
I was in the same situation as you a year ago. Deleted my Google and Microsoft accounts. Would you mind sharing what new services you have settled with?
For some critical services (such as banks, hosting providers, etc.) I use ProtonMail. For the rest of the stuff, I have my own email server hosted at my home set up with a VPN tunnel to OVH (data is kept on a server at my home, but the server is publicly available from the Internet thanks to a cheap VPS from OVH). The most private is what you have full control over.
With this solution, I have full control over my data.
Wow that’s pretty advanced. I always thought about hostim my own email server but then people reminded me that I might get blocked or classiefied as spam so it didn’t seem worth the effort. I don’t use email that often anyways.
Being friendly doesn’t negate the fact that they are out of compliance with the law. Even sending a second email to insist they delete your data is an undue burden.
You’re right, but sometimes a bit of undue courtesy repays in dividends. Not every minor infraction is nefarious and not every minor infraction deserves reporting. A simple courteous reminder of their obligations may save both parties some undue hassle.
I can imagine this company doing this to ensure only authenticated users can have their data removed. There are other ways…but this was probably what they considered reasonable and painless for all, admittedly they (wrongly) didn’t consider the audience of this community in that decision.
According to my training when I was handling my workplace’s GDPR request email companies have 30 days to respond. Meaning they could simply have a bot respond to all incoming emails on day 29 and say “we’re reviewing your request” and be in compliance for a while longer
Remember that you're talking to some poorly paid person that has to deal with unhappy people all day and probably doesn't even agree with these policies. This is no different than being in a restaurant - don't be rude to service people. Be polite, but firm. You can express that you're unhappy and that this isn't acceptable in a way that doesn't come off as berating some first level service drone.
I had this before, though not through a direct communication. Someone had gotten my email credentials somehow and installed a company’s app and made an account. When I went through the support pages on the company’s site to find out how to delete the account the only listed way was through the app itself.
They were accommodating and helpful when I emailed the company about it though. I just told them that I can’t agree to the privacy policy and thus cannot install the app but still need the account to be deleted. They did it.
How about using a programmer style variables like badCompanyName. You don’t have to be a mathematician. Sure, I can totally appreciate concise names, but some times you have to use longer names to avoid collisions.
There is some arguement to be made that Facebook was kind of good at first. It was useful and it had social impacts that were positive. Over time it became toxic.
Twitter was awful from day one though, mostly because it was bloody useless from day one. Everything that anybody used it for could have been done, and generally was also done, on Facebook, so there was literally no point in the platform.
I had a simmilar situation with Nicehash (crypto shit company), but I had 2fa enabled and just wanted to unsubscribe from useless newsletters. They asked for a photo of me holding a paper with my personal information. Still didnt solve that, but some comments here might help, following
Add comment