cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 
Advocate I

Re: Anyone else seeing "Data Removal Request" mailshots?

Disclaimer: I am not a lawyer and this is in no way to be considered legal advice.

Outright ignoring the request is not an option that I read and understood from the GDPR. The alternative options you have appear to be either refusing the request (replying to the request with a statement as to why you are taking no action); or charging a “reasonable fee” for the administrative burden of responding to an unfounded request. Either way, it appears as though you are required to respond to these requests.

See the GDPR at, Chapter III, Section 1, Article 12 on pg 40: (https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679)

5. Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:
(a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
(b) refuse to act on the request.
The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

Sincerely,

Eric B
Newcomer II

Re: Anyone else seeing "Data Removal Request" mailshots?

I am thinking that if these cannot be verified by the business then you don't have to act on it.

 

So if you request verification and do not get it the request must be invalid. (Or you can use refusal on those grounds).

 

 

Maria M - CIPP/E
Advocate I

Re: Anyone else seeing "Data Removal Request" mailshots?


@Akirin00 wrote:

I am thinking that if these cannot be verified by the business then you don't have to act on it.

 

So if you request verification and do not get it the request must be invalid. (Or you can use refusal on those grounds).

 

 


Correct me if I'm wrong, but what I read is that the organization still must act.  By the language of the act, an organization must actually reply to every request with the justification of why the organization was unable to erase data (for example, the organization had no data, so there was nothing to delete). 

 

You can't simply send the request to a spam filter and not send a reply.

Newcomer II

Re: Anyone else seeing "Data Removal Request" mailshots?

Agreed, but would you send a person that you could not confirm that is the legitimate data subject information on the existence (or not) of their data? I would respond to all these requests that will not verify themselves that we cannot process further unless they verify themselves. (What we did is we have our CRM send them 2 chasers stating that we will not be able to process if they do not verify themselves. We would action on their request when and if they respond at some point.)

 

At the end of the day, it doesn't save you 100% of the effort but it saves you some.

 

PS somewhere I read( probably wp29 or ICO guidance that you start counting days (1 month) from the point of verification. (will update the thread once I find it again).

 

Update: Article 12, 2 states that: 

"The controller shall facilitate the exercise of data subject rights under Articles 15 to 22. 2In the cases referred to in Article 11(2), the controller shall not refuse to act on the request of the data subject for exercising his or her rights under Articles 15 to 22, unless the controller demonstrates that it is not in a position to identify the data subject. "

 

 

Maria M - CIPP/E
YR
Viewer II

Re: Anyone else seeing "Data Removal Request" mailshots?

Just wanted to say thanks for the input on this post.

We've just started seeing some of these this week, so this thread has been very useful Robot Happy

Viewer II

Re: Anyone else seeing "Data Removal Request" mailshots?

I have one of these a day in my inbox. We think its from Deseat.me It seems the programme that is sending these has access to the users gmail and Hotmail mail accounts as the request originates from the users accounts. It searches through your emails and finds where you are registered then sends a GDPR request to remove the data.My opinion is you should treat the request as if its real. I would ask them to reconfirm that they want their data removed and ask for two forms of identity. If they don't reply you can safely ignore it after that. I have asked for confirmation and the individuals did respond. (As an aside your not entitled to charge for this service unless it is unreasonable amount of work).

Advocate I

Re: Anyone else seeing "Data Removal Request" mailshots?


@Barry_M wrote:

(As an aside your not entitled to charge for this service unless it is unreasonable amount of work).


You are apparently allowed to charge for the service if the request is unfounded.  Such as sending or causing to be sent a request that is invalid. 

 

My personal understanding of unfounded includes sending a bulk-mail request under GDPR, causing the recipient to run around and validate it, where the request was ultimately rescinded; or where the recipient didn't hold any data on the sender (a prophylactic GDPR request). 

Highlighted
Del
Newcomer III

Re: Anyone else seeing "Data Removal Request" mailshots?

So far we've had approx. 50 of these requests ... after the initial rush, it's now down to one a day.

 

I've responded to each one.

 

It's a little time consuming, and mostly the requests are for entries that only exist on our marketing system.

 

I'm now at the navel-gazing stage ... if I keep a record of these requests, that record itself becomes a dataset containing PII ... and our mail system logs now also have an instance of the email address used to make the request in the first place.

 

I guess this will just become a "normal" cost of doing business in the EU now.

 

Newcomer I

Re: Anyone else seeing "Data Removal Request" mailshots?

But you have a legal justification to keep them Smiley Happy
Viewer II

Re: Anyone else seeing "Data Removal Request" mailshots?

Hi @Akirin00,

How are you asking them to verify themselves? What information are you asking for?