cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Del
Newcomer III

Anyone else seeing "Data Removal Request" mailshots?

Hi there ... I'm looking for your thoughts & wisdom on this.

 

In the last two weeks, I've seen a bunch of emails with the same Subject and Body Text .. only the email addresses change.

 

The Subject is always "Data Removal Request"

The Body Text is always

 

"I hereby withdraw my consent for you to collect, process or store any personal data related to name@emailprovider.com

 

I request that you delete any and all data related to, and belonging to name@emailprovider.com that your company stores, pursuant to my rights under Article 17 GDPR.

 

Thank you!"

 

These requests have covered emails from a variety of free email providers, gmail.com, gmail.fr, hotmail.com ... which makes me think there is a system or service out there generating these emails on behalf of individuals ... possibly for a nominal fee 🙂

 

Of the 20 or so emails we've seen, only a handful of the emails are actually customers / users of our service ... which makes me think the system or service sending these emails is generating mailshots and firing them out to a range of service providers like my company

 

Anyone else seen this?

 

I'm going to work through the email headers to see if there are any clues ... but I thought it was worth posting here in case anyone else is in the same position as me 🙂

 

 

42 Replies
Baechle
Advocate I

Disclaimer: I am not a lawyer and this is in no way to be considered legal advice.

Outright ignoring the request is not an option that I read and understood from the GDPR. The alternative options you have appear to be either refusing the request (replying to the request with a statement as to why you are taking no action); or charging a “reasonable fee” for the administrative burden of responding to an unfounded request. Either way, it appears as though you are required to respond to these requests.

See the GDPR at, Chapter III, Section 1, Article 12 on pg 40: (https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679)

5. Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:
(a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
(b) refuse to act on the request.
The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

Sincerely,

Eric B
Akirin00
Newcomer II

I am thinking that if these cannot be verified by the business then you don't have to act on it.

 

So if you request verification and do not get it the request must be invalid. (Or you can use refusal on those grounds).

 

 

Maria M - CIPP/E
Baechle
Advocate I


@Akirin00 wrote:

I am thinking that if these cannot be verified by the business then you don't have to act on it.

 

So if you request verification and do not get it the request must be invalid. (Or you can use refusal on those grounds).

 

 


Correct me if I'm wrong, but what I read is that the organization still must act.  By the language of the act, an organization must actually reply to every request with the justification of why the organization was unable to erase data (for example, the organization had no data, so there was nothing to delete). 

 

You can't simply send the request to a spam filter and not send a reply.

Akirin00
Newcomer II

Agreed, but would you send a person that you could not confirm that is the legitimate data subject information on the existence (or not) of their data? I would respond to all these requests that will not verify themselves that we cannot process further unless they verify themselves. (What we did is we have our CRM send them 2 chasers stating that we will not be able to process if they do not verify themselves. We would action on their request when and if they respond at some point.)

 

At the end of the day, it doesn't save you 100% of the effort but it saves you some.

 

PS somewhere I read( probably wp29 or ICO guidance that you start counting days (1 month) from the point of verification. (will update the thread once I find it again).

 

Update: Article 12, 2 states that: 

"The controller shall facilitate the exercise of data subject rights under Articles 15 to 22. 2In the cases referred to in Article 11(2), the controller shall not refuse to act on the request of the data subject for exercising his or her rights under Articles 15 to 22, unless the controller demonstrates that it is not in a position to identify the data subject. "

 

 

Maria M - CIPP/E
YR
Viewer II

Just wanted to say thanks for the input on this post.

We've just started seeing some of these this week, so this thread has been very useful Robot Happy

Barry_M
Viewer II

I have one of these a day in my inbox. We think its from Deseat.me It seems the programme that is sending these has access to the users gmail and Hotmail mail accounts as the request originates from the users accounts. It searches through your emails and finds where you are registered then sends a GDPR request to remove the data.My opinion is you should treat the request as if its real. I would ask them to reconfirm that they want their data removed and ask for two forms of identity. If they don't reply you can safely ignore it after that. I have asked for confirmation and the individuals did respond. (As an aside your not entitled to charge for this service unless it is unreasonable amount of work).

Baechle
Advocate I


@Barry_M wrote:

(As an aside your not entitled to charge for this service unless it is unreasonable amount of work).


You are apparently allowed to charge for the service if the request is unfounded.  Such as sending or causing to be sent a request that is invalid. 

 

My personal understanding of unfounded includes sending a bulk-mail request under GDPR, causing the recipient to run around and validate it, where the request was ultimately rescinded; or where the recipient didn't hold any data on the sender (a prophylactic GDPR request). 

Del
Newcomer III

So far we've had approx. 50 of these requests ... after the initial rush, it's now down to one a day.

 

I've responded to each one.

 

It's a little time consuming, and mostly the requests are for entries that only exist on our marketing system.

 

I'm now at the navel-gazing stage ... if I keep a record of these requests, that record itself becomes a dataset containing PII ... and our mail system logs now also have an instance of the email address used to make the request in the first place.

 

I guess this will just become a "normal" cost of doing business in the EU now.

 

someone
Newcomer I

But you have a legal justification to keep them 🙂
hookrook
Viewer II

Hi @Akirin00,

How are you asking them to verify themselves? What information are you asking for?