this post was submitted on 23 Oct 2023
866 points (98.3% liked)

Privacy

31987 readers
602 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

A few days ago I sent a GDPR request to some company to delete my personal data. They said to install their app and send a ticket from the app. The email was sent from the email address to which the account is registered. Is this even legal?

top 50 comments
sorted by: hot top controversial new old
[–] _TheNardDog_@lemmy.world 422 points 1 year ago* (last edited 1 year ago) (19 children)

No, it’s not at all legal for the company to do this. Reply and remind them they have one calendar month to comply from the date of your original request, otherwise you will make a complaint to which ever information regulator is correct for the juridiction they’re operating in.

I’m a lawyer specialising in Data Privacy, reply here if you need more help on this one.

Also feel free to name the company.

[–] cheese_greater@lemmy.world 38 points 1 year ago

Fuck them and bless u lol

[–] mypasswordis1234@lemmy.world 25 points 1 year ago* (last edited 1 year ago) (7 children)

For now, I do not want to announce the name of this company publicly.

If they don't want to solve it amicably, then I will do so.

[–] sanpo@sopuli.xyz 165 points 1 year ago (4 children)

They already said they don't want to.

They asked you to install the app on purpose, in hopes that you'll decide it's too much hassle and decide not to delete the account.

load more comments (4 replies)
[–] fmstrat@lemmy.nowsci.com 77 points 1 year ago

This is a bad decision, IMO. They may fix it for you, but then you've lost the opportunity to assist everyone who comes after you.

You posted asking the public for help. Please return the favor and report them, as you are legally supposed to do.

[–] Cornpop@lemmy.world 37 points 1 year ago (2 children)

Why not? That's so weird...

[–] Scubus@sh.itjust.works 72 points 1 year ago (2 children)

Think of the poor corporation! If they get punished for their illegal buisness practices, it'll hurt the economy and people will be less inclined to start a small buisness. Didn't you study piss down economics?

[–] Illuminostro@lemmy.world 11 points 1 year ago

"WHAT ABOUT THE TRUE VICTIMS HERE! WHY DOESN'T ANYONE CARE ABOUT THOSE HARDWORKING, SALT-OF-THE-EARTH SHAREHOLDERS! ARE YOU PEOPLE FUCKING COMMUNISTS?!"

load more comments (1 replies)
load more comments (1 replies)
[–] Rodeo@lemmy.ca 27 points 1 year ago (1 children)

Must be something that makes you look bad lol

Otherwise you'd just say it. You owe them nothing and they've broken the fuckin law and you're protecting them? What do they have on you?

[–] lastweakness@lemmy.world 28 points 1 year ago (4 children)

Or maybe they just want to disclose as little of their personal information, including services relied on, on an open platform like this. Idk if that's the case, but playing devil's advocate here

load more comments (4 replies)
[–] rishado@lemmy.world 17 points 1 year ago* (last edited 1 year ago)

I will never understand why people complain online then do this. Why are you being such a pushover. What does amicably even mean to you?

[–] NaturalViber@lemmy.world 10 points 1 year ago

Feetfinders.com? Heh

[–] miss_brainfart@lemmy.ml 13 points 1 year ago* (last edited 1 year ago) (2 children)

That reminds me, I might have to put in a formal complaint for a somewhat similar matter.

Bought concert cards years ago, and was never able to unsubsribe from the newsletter. I sent requests to every mail address I could find, and never even got a response. Still got newsletters every now and then though.

They also just make it unnecessarily hard to contact them, so at this point I'm not sure my messages even reached them, which hopefully is what explains their failure to comply.

load more comments (2 replies)
load more comments (16 replies)
[–] yoz@aussie.zone 357 points 1 year ago

Name and shame the company

[–] 7heo@lemmy.ml 312 points 1 year ago* (last edited 1 year ago) (3 children)
[–] Nelots@lemm.ee 105 points 1 year ago (7 children)

Man, Elon really does ruin everything. Can't even use X as a variable anymore without a disclaimer.

[–] driving_crooner@lemmy.eco.br 32 points 1 year ago (2 children)

It's causing hell of problems to mathematicians worldwide.

[–] PersnickityPenguin@lemm.ee 10 points 1 year ago

Suddenly, every math formula ever written is subject to copyright and royalties.

load more comments (1 replies)
[–] ultratiem@lemmy.ca 14 points 1 year ago

Fuck that, I refuse to give him the letter. He can pry it from my cold dead hands as he chokes on my liver!

load more comments (5 replies)
[–] shasta@lemm.ee 23 points 1 year ago (3 children)

It is an ex-social-platform. It is now a pile of garbage.

load more comments (3 replies)
[–] library_napper@monyet.cc 17 points 1 year ago (2 children)

This is why I always call it twitter. X is a variable

load more comments (2 replies)
[–] magnetosphere@kbin.social 183 points 1 year ago

No. They are obligated to obey the law as written. They don’t get to create conditions.

[–] SimonSaysStuff@lemmy.world 131 points 1 year ago

GDPR clearly states you can contact any part of the organisation with your request. You can make your request verbally or in writing and they must acknowledge it. They can't refuse and make you use their app.

For fun send them a Subject Access Request and if they don't acknowledge it, report them to the ICO (if you're in the UK)

[–] SpaceNoodle@lemmy.world 74 points 1 year ago

Name & shame.

[–] cosmicrookie@lemmy.world 69 points 1 year ago (1 children)

Simply ask for the official company name, registration number and country as well as the prereree means of communication that they would like your local data authorities to contact them on.

Also make a 1 star review, stating that you are in talks with your local gdpr authorities about their way of handling privacy.

This worked for me last time a company asked me to download an app to delete my account

[–] Ferris@infosec.pub 9 points 1 year ago (2 children)
load more comments (2 replies)
[–] Jimmycrackcrack@lemmy.ml 67 points 1 year ago* (last edited 1 year ago)

I had this before, though not through a direct communication. Someone had gotten my email credentials someho and installed a company's app and made an account. When I went through the support pages on the company's site to find out how to delete the account the only listed way was through the app itself.

They were accommodating and helpful when I emailed the company about it though. I just told them that I can't agree to the privacy policy and thus cannot install the app but still need the account to be deleted. They did it.

[–] Devjavu@lemmy.dbzer0.com 39 points 1 year ago

It is absolutely not

[–] vsis@feddit.cl 24 points 1 year ago (3 children)

They were very friendly imo. No need to speak legalese or to be rude.

Just tell them that you can't or don't want to install the app.

If they don't help you, then you proceed to remind them that you are not required to install anything for them to comply with GDPR.

[–] themeatbridge@lemmy.world 76 points 1 year ago (1 children)

Being friendly doesn't negate the fact that they are out of compliance with the law. Even sending a second email to insist they delete your data is an undue burden.

[–] el_abuelo@lemmy.ml 9 points 1 year ago (1 children)

You're right, but sometimes a bit of undue courtesy repays in dividends. Not every minor infraction is nefarious and not every minor infraction deserves reporting. A simple courteous reminder of their obligations may save both parties some undue hassle.

I can imagine this company doing this to ensure only authenticated users can have their data removed. There are other ways...but this was probably what they considered reasonable and painless for all, admittedly they (wrongly) didn't consider the audience of this community in that decision.

[–] Rodeo@lemmy.ca 17 points 1 year ago (4 children)

A simple courteous reminder of their obligations may save both parties some undue hassle.

Actually, the customer is already getting undue hassle, while the company is just breaking the law. Why can't we just expect better?

load more comments (4 replies)
[–] Draedron@lemmy.dbzer0.com 54 points 1 year ago

It's the bare minimum of friendliness expected in customer care. Most likely a macro which is normal with these kind of requests.

[–] jet@hackertalks.com 22 points 1 year ago* (last edited 1 year ago)

Time to speak corporate to them. Write out a GDPR removal demand letter. And mail it to them certified or whatever corporate mail does in your local jurisdiction.

[–] rambos@lemm.ee 13 points 1 year ago (2 children)

I had a simmilar situation with Nicehash (crypto shit company), but I had 2fa enabled and just wanted to unsubscribe from useless newsletters. They asked for a photo of me holding a paper with my personal information. Still didnt solve that, but some comments here might help, following

load more comments (2 replies)
[–] ElleChaise@kbin.social 10 points 1 year ago* (last edited 1 year ago) (3 children)

eBay does this too. They told me they can't access my data to delete it, that I have to log in with their website or app and send information to just get my data, let alone have it deleted.

load more comments (3 replies)
[–] Blackmist@feddit.uk 9 points 1 year ago (2 children)

It's way too easy to spoof email "from" addresses.

There should be a way to do it through their website though. Requiring an app is just stupid.

[–] wido@lemmy.tf 18 points 1 year ago (2 children)

They literally replied to his registered email and he has the reply. That would indicate that he has at least access to the account. So with OP's next email quoting the reply ownership over the associated email address should be reasonably established.

load more comments (2 replies)
[–] mypasswordis1234@lemmy.world 9 points 1 year ago* (last edited 1 year ago) (5 children)

Their site is just a landing page, there's no login option or anything like that. Their business is a smartphone application.

Edit: Gmail uses SPF, DMARC and DKIM signing so spoofing is not possible if their email services are configured properly.

load more comments (5 replies)
load more comments
view more: next ›