A few days ago I sent a GDPR request to some company to delete my personal data. They said to install their app and send a ticket from the app. The email was sent from the email address to which the account is registered. Is this even legal?
Name and shame the company
It is not legal. Please report it to your local Data Protection Authority (DPA).
Something along the lines of “I contacted X for a GDPR request via email, using the address associated with my user account. Their answer is requiring me to install their app, and agree to several new legally binding ToSes in the process.”
Man, Elon really does ruin everything. Can’t even use X as a variable anymore without a disclaimer.
It’s causing hell of problems to mathematicians worldwide.
Suddenly, every math formula ever written is subject to copyright and royalties.
They are left asking Y.
Fuck that, I refuse to give him the letter. He can pry it from my cold dead hands as he chokes on my liver!
How about using a programmer style variables like badCompanyName. You don’t have to be a mathematician. Sure, I can totally appreciate concise names, but some times you have to use longer names to avoid collisions.
I prefer [insertconpanynamehere] but in this case name and shame almost seems more appropriate.
Csmel case isn’t POSIX complaint. Underscores ftw /s
“As you can see on this graph, the Twitter axis represents time, and the Y axis represents total number of unique visitors”
It is an ex-social-platform. It is now a pile of garbage.
It was always a pile of garbage…
Too true.
There is some arguement to be made that Facebook was kind of good at first. It was useful and it had social impacts that were positive. Over time it became toxic.
Twitter was awful from day one though, mostly because it was bloody useless from day one. Everything that anybody used it for could have been done, and generally was also done, on Facebook, so there was literally no point in the platform.
Good point. Now it is a steaming pile of hot garbage. Haha
This is why I always call it twitter. X is a variable
It’s new name is “X, formally known as Twitter”. Which is what every news website on the planet calls it.
Regardless the fact that X is a stupid name for a company, it’s also dumb to rename a popular company generally anyway.
“Twitter” is shorter
No. They are obligated to obey the law as written. They don’t get to create conditions.
I had this before, though not through a direct communication. Someone had got my details and install a company’s app and when I went through the support pages on their site to find out how to delete the account th only listed way was through the app itself.
They were accommodating and helpful when I emailed the company about it though. I just told them tjat I can’t agree to the privacy policy and thus cannot install the app but still need the account to be deleted. They did it.
It is absolutely not
They were very friendly imo. No need to speak legalese or to be rude.
Just tell them that you can’t or don’t want to install the app.
If they don’t help you, then you proceed to remind them that you are not required to install anything for them to comply with GDPR.
It’s the bare minimum of friendliness expected in customer care. Most likely a macro which is normal with these kind of requests.
Removed by mod
Being friendly doesn’t negate the fact that they are out of compliance with the law. Even sending a second email to insist they delete your data is an undue burden.
You’re right, but sometimes a bit of undue courtesy repays in dividends. Not every minor infraction is nefarious and not every minor infraction deserves reporting. A simple courteous reminder of their obligations may save both parties some undue hassle.
I can imagine this company doing this to ensure only authenticated users can have their data removed. There are other ways…but this was probably what they considered reasonable and painless for all, admittedly they (wrongly) didn’t consider the audience of this community in that decision.
A simple courteous reminder of their obligations may save both parties some undue hassle.
Actually, the customer is already getting undue hassle, while the company is just breaking the law. Why can’t we just expect better?
Nobody broke the law lol.
I believe they have like a month to comply.
The just asked for a ticket in the app, to make their lifes easier. If OP doesn’t want to, they still have to comply though.
Now I remember why I hate working directly with customers.
I believe they have like a month to comply.
According to my training when I was handling my workplace’s GDPR request email companies have 30 days to respond. Meaning they could simply have a bot respond to all incoming emails on day 29 and say “we’re reviewing your request” and be in compliance for a while longer
No, it’s not at all legal for the company to do this. Reply and remind them they have one calendar month to comply from the date of your original request, otherwise you will make a complaint to which ever information regulator is correct for the juridiction they’re operating in.
I’m a lawyer specialising in Data Privacy, reply here if you need more help on this one.
Also feel free to name the company.
Fuck them and bless u lol
For now, I do not want to announce the name of this company publicly.
If they don’t want to solve it amicably, then I will do so.
They already said they don’t want to.
They asked you to install the app on purpose, in hopes that you’ll decide it’s too much hassle and decide not to delete the account.
How do you know this?
My first thought was “they probably want to ensure they are who they say they are and so want an authenticated request” - while that’s against GDPR, not everyone is as educated as they should be, and not every mistake is a nefarious activity.
There’s no reason an app should be more trustworthy than the email.
It’s pretty standard for scummy companies to make the process as annoying as possible.See cancelling gym membership.
The individual responding isn’t the issue. They haven’t made any decision to respond like this, they are following a script.
The script is written by people who should know exactly what they are doing, so the result is either malice or negligence. Either way it’s unacceptable where the law is concerned.
Why not? That’s so weird…
Think of the poor corporation! If they get punished for their illegal buisness practices, it’ll hurt the economy and people will be less inclined to start a small buisness. Didn’t you study piss down economics?
I guess the company is embarrassing in some way.
This is a bad decision, IMO. They may fix it for you, but then you’ve lost the opportunity to assist everyone who comes after you.
You posted asking the public for help. Please return the favor and report them, as you are legally supposed to do.
I will never understand why people complain online then do this. Why are you being such a pushover. What does amicably even mean to you?
Feetfinders.com? Heh
Must be something that makes you look bad lol
Otherwise you’d just say it. You owe them nothing and they’ve broken the fuckin law and you’re protecting them? What do they have on you?
Or maybe they just want to disclose as little of their personal information, including services relied on, on an open platform like this. Idk if that’s the case, but playing devil’s advocate here
Personal information like the name of a company they bought something from?
Please
Maybe it’s a company with only 3 customers.
Then maybe don’t post it at all?
Why should they not? They posted an inquiry, looking for advice. That is their reason for posting.
They do not owe personal information beyond what is required to answer the question. And typically, with regards to anything resembling a legal matter, the less information posted publicly, the better.
Genuine question: Aren’t you supposed to say “this is not legal advice?” if you identify yourself as a lawyer but you’re not their legal council? Or am I mistaken?
Nope.
Look it is the internet, you can rest assured if they say they are a lawyer, then there is no doubt ;)
And I’m totally not a dog. Woof!
That one is certainly illegal, misrepresenting yourself as a lawyer online and giving legal advice on that basis. Same for doctors.
I can’t decide if this is written jokingly or seriously.
Illegal where?
Canada, USA, the EU
And you are certain the poster aboves lives there because…?
“because…?” ?
Time to speak corporate to them. Write out a GDPR removal demand letter. And mail it to them certified or whatever corporate mail does in your local jurisdiction.
I had a simmilar situation with Nicehash (crypto shit company), but I had 2fa enabled and just wanted to unsubscribe from useless newsletters. They asked for a photo of me holding a paper with my personal information. Still didnt solve that, but some comments here might help, following
You can just call them a crypto company, them being shit is kind of implied.
I like how they end it with “greetings”
eBay does this too. They told me they can’t access my data to delete it, and have to login with their website or app and send information to just get my data, let alone have it deleted.
Doesn’t ebay delete the account after certain amount of inactivity? Just let it lapse then?
Don’t think so. I haven’t been able to login to my ebay account for 10+ years, still get emails.
Doubtful - I leave my account for years at a time between logins, and it’s still active (have had the account since 2002 or so, and have had at least a 10 year span without any use).
It’s way too easy to spoof email “from” addresses.
There should be a way to do it through their website though. Requiring an app is just stupid.
They literally replied to his registered email and he has the reply. That would indicate that he has at least access to the account. So with OP’s next email quoting the reply ownership over the associated email address should be reasonably established.
That would indicate that
hesomeone has at least access to the account.
Their site is just a landing page, there’s no login option or anything like that. Their business is a smartphone application.
Edit: Gmail uses SPF, DMARC and DKIM signing so spoofing is not possible if their email services are configured properly.
SPF/DKIM/DMARC does not prevent sending the spoofed message, though. It is up to the recipient system to filter out the message should the checks fail. Even then, the message often lands into spam instead of being dropped.
Anyway they should configure their systems to reject unsigned e-mails and providers that don’t have a proper SPF configuration. SPF (Sender Policy Framework) allows you to make sure that the message was sent by an approved server and was not forged by some hackur.
You’d be surprised how many legitimate email are sent with failed SPF. Even Microsoft sometimes doesn’t update their MX records and the SPF fails.
That is especially true with large organizations where multiple non-technical teams are ordering/configuring products that send email.
Unfortunately it is difficult to solve, unless services stop allowing sending without verifying and forcing proper configuration. That would drive sales to competitors who do not enforce this, though.
Name & shame.
Simply ask for the official company name, registration number and country as well as the prereree means of communication that they would like your local data authorities to contact them on.
Also make a 1 star review, stating that you are in talks with your local gdpr authorities about their way of handling privacy.
This worked for me last time a company asked me to download an app to delete my account
prereree -> preferred?
Then you, kindly dispose urself of all my personal data.
—Dictated but not read, fuck you Me(also take me to ur leader)
