Hi there ... I'm looking for your thoughts & wisdom on this.
In the last two weeks, I've seen a bunch of emails with the same Subject and Body Text .. only the email addresses change.
The Subject is always "Data Removal Request"
The Body Text is always
"I hereby withdraw my consent for you to collect, process or store any personal data related to name@emailprovider.com
I request that you delete any and all data related to, and belonging to name@emailprovider.com that your company stores, pursuant to my rights under Article 17 GDPR.
Thank you!"
These requests have covered emails from a variety of free email providers, gmail.com, gmail.fr, hotmail.com ... which makes me think there is a system or service out there generating these emails on behalf of individuals ... possibly for a nominal fee 🙂
Of the 20 or so emails we've seen, only a handful of the emails are actually customers / users of our service ... which makes me think the system or service sending these emails is generating mailshots and firing them out to a range of service providers like my company
Anyone else seen this?
I'm going to work through the email headers to see if there are any clues ... but I thought it was worth posting here in case anyone else is in the same position as me 🙂
I am thinking that if these cannot be verified by the business then you don't have to act on it.
So if you request verification and do not get it the request must be invalid. (Or you can use refusal on those grounds).
@Akirin00 wrote:I am thinking that if these cannot be verified by the business then you don't have to act on it.
So if you request verification and do not get it the request must be invalid. (Or you can use refusal on those grounds).
Correct me if I'm wrong, but what I read is that the organization still must act. By the language of the act, an organization must actually reply to every request with the justification of why the organization was unable to erase data (for example, the organization had no data, so there was nothing to delete).
You can't simply send the request to a spam filter and not send a reply.
Agreed, but would you send a person that you could not confirm that is the legitimate data subject information on the existence (or not) of their data? I would respond to all these requests that will not verify themselves that we cannot process further unless they verify themselves. (What we did is we have our CRM send them 2 chasers stating that we will not be able to process if they do not verify themselves. We would action on their request when and if they respond at some point.)
At the end of the day, it doesn't save you 100% of the effort but it saves you some.
PS somewhere I read( probably wp29 or ICO guidance that you start counting days (1 month) from the point of verification. (will update the thread once I find it again).
Update: Article 12, 2 states that:
"The controller shall facilitate the exercise of data subject rights under Articles 15 to 22. 2In the cases referred to in Article 11(2), the controller shall not refuse to act on the request of the data subject for exercising his or her rights under Articles 15 to 22, unless the controller demonstrates that it is not in a position to identify the data subject. "
Just wanted to say thanks for the input on this post.
We've just started seeing some of these this week, so this thread has been very useful
I have one of these a day in my inbox. We think its from Deseat.me It seems the programme that is sending these has access to the users gmail and Hotmail mail accounts as the request originates from the users accounts. It searches through your emails and finds where you are registered then sends a GDPR request to remove the data.My opinion is you should treat the request as if its real. I would ask them to reconfirm that they want their data removed and ask for two forms of identity. If they don't reply you can safely ignore it after that. I have asked for confirmation and the individuals did respond. (As an aside your not entitled to charge for this service unless it is unreasonable amount of work).
@Barry_M wrote:(As an aside your not entitled to charge for this service unless it is unreasonable amount of work).
You are apparently allowed to charge for the service if the request is unfounded. Such as sending or causing to be sent a request that is invalid.
My personal understanding of unfounded includes sending a bulk-mail request under GDPR, causing the recipient to run around and validate it, where the request was ultimately rescinded; or where the recipient didn't hold any data on the sender (a prophylactic GDPR request).
So far we've had approx. 50 of these requests ... after the initial rush, it's now down to one a day.
I've responded to each one.
It's a little time consuming, and mostly the requests are for entries that only exist on our marketing system.
I'm now at the navel-gazing stage ... if I keep a record of these requests, that record itself becomes a dataset containing PII ... and our mail system logs now also have an instance of the email address used to make the request in the first place.
I guess this will just become a "normal" cost of doing business in the EU now.
Hi @Akirin00,
How are you asking them to verify themselves? What information are you asking for?