cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Del
Newcomer III

Anyone else seeing "Data Removal Request" mailshots?

Hi there ... I'm looking for your thoughts & wisdom on this.

 

In the last two weeks, I've seen a bunch of emails with the same Subject and Body Text .. only the email addresses change.

 

The Subject is always "Data Removal Request"

The Body Text is always

 

"I hereby withdraw my consent for you to collect, process or store any personal data related to name@emailprovider.com

 

I request that you delete any and all data related to, and belonging to name@emailprovider.com that your company stores, pursuant to my rights under Article 17 GDPR.

 

Thank you!"

 

These requests have covered emails from a variety of free email providers, gmail.com, gmail.fr, hotmail.com ... which makes me think there is a system or service out there generating these emails on behalf of individuals ... possibly for a nominal fee 🙂

 

Of the 20 or so emails we've seen, only a handful of the emails are actually customers / users of our service ... which makes me think the system or service sending these emails is generating mailshots and firing them out to a range of service providers like my company

 

Anyone else seen this?

 

I'm going to work through the email headers to see if there are any clues ... but I thought it was worth posting here in case anyone else is in the same position as me 🙂

 

 

42 Replies
Akirin00
Newcomer II

Hi Hookrook,
Well i think the best answer here is depends for the type of processing and
swnsitivity of data as well as the type of your business.

In our case, we have a ecommerce site and our customers have to register to
purchase for example. We ask them to submit a ticket that requires them to
be logged in when they do that. If they just email support then we check of
this is from the registered email address for example or might ask other
account related questions.

But again ut would depend on what a company is collecting and processing.

Hope this helps.
Maria M - CIPP/E
hookrook
Viewer II

Thanks for your reply @Akirin00

 

This is for everyone...

 

We are receiving requests (quite possibly from https://www.deseat.me/) from people who are not users in our system. There are though other systems where we keep people's information. For example, Mailchimp - where people's name and email is kept if they signed up to to our newsletter on our website without actually signing up for our service.

 

For someone like this - who is not a user of our system, has never agreed to the terms of service of our application, but has signed up to receive email, would you still somehow verify them before removing them form mailing lists?

Akirin00
Newcomer II

We get those too from deseat. In our case i think if they come from the
email address that is registered to receive our marketing emails it should
be considered verified.

Would be good to hear other opinions though.
Maria M - CIPP/E
someone
Newcomer I

Isn't there a requirement to keep the data in case of dispute of the purchase?
Barry_M
Viewer II

You have two routes.Both are valid.
1) Respond and ask for identification.If they don't reply you can ignore it. The ICO website tells us if you have doubts as to who they are, that you can "request information that is necessary to confirm who they are"
2) Treat this like most people treat marketing removal requests and don't verify with ID and remove them from your list(like an unsubscribe link on an email) You can then inform them they have been removed and that they can always opt back in.
It's your choice. We are going down the option 2 route as generally we feel this is safer.


⁣Sent from BlueMail ​
Akirin00
Newcomer II

Agree on both points Barry. For marketing emails it absolutely makes sense
if it is just unsubscribe i think.
Maria M - CIPP/E
Barry_M
Viewer II

That is another scenario altogether. My last comment was in relation to marketing.If you have a transaction associated with the pi them you need to keep the pi for 6 years as per the company's act.

⁣Sent from BlueMail ​
Del
Newcomer III

We're treating the "deseat.me" requests as unsubscribe requests too.

 

None of the ones we've seen yet have come from actual paying customers of the service ... but we still have to check, which takes a little time ... I need to automate that process. Until then I'm reluctant to spend even more time on "verifying" these requests and having back & forth conversations with people who really just want to unsubscribe from marketing campaigns.

 

 

I'd like to think that paying customers are smart enough to know that we can't "forget" their commercial transactions with us ... but we'll see 🙂

Barry_M
Viewer II

Most of our requests from deseat.me have subscribed to our marketing. The deseat program appears to check subscriptions somehow.

⁣Sent from BlueMail ​
Akirin00
Newcomer II

I am not sure you can work on assumption here. Wherever the request comes
from it is still clearly asks you to delete them. So in that case you need
to try and verify and act on that.

Also, whatever you devide you need to keep you need to state on your
deletion confirmation along with the retention period criteria and the
legal basis.
Maria M - CIPP/E