Re: Anyone else seeing "Data Removal Request" mail... - Page 4

Del · ‎06-05-2018

Hi there ... I'm looking for your thoughts & wisdom on this.

In the last two weeks, I've seen a bunch of emails with the same Subject and Body Text .. only the email addresses change.

The Subject is always "Data Removal Request"

The Body Text is always

"I hereby withdraw my consent for you to collect, process or store any personal data related to name@emailprovider.com

I request that you delete any and all data related to, and belonging to name@emailprovider.com that your company stores, pursuant to my rights under Article 17 GDPR.

Thank you!"

These requests have covered emails from a variety of free email providers, gmail.com, gmail.fr, hotmail.com ... which makes me think there is a system or service out there generating these emails on behalf of individuals ... possibly for a nominal fee 🙂

Of the 20 or so emails we've seen, only a handful of the emails are actually customers / users of our service ... which makes me think the system or service sending these emails is generating mailshots and firing them out to a range of service providers like my company

Anyone else seen this?

I'm going to work through the email headers to see if there are any clues ... but I thought it was worth posting here in case anyone else is in the same position as me 🙂

Akirin00 · ‎06-28-2018

Hi Hookrook,
Well i think the best answer here is depends for the type of processing and
swnsitivity of data as well as the type of your business.

In our case, we have a ecommerce site and our customers have to register to
purchase for example. We ask them to submit a ticket that requires them to
be logged in when they do that. If they just email support then we check of
this is from the registered email address for example or might ask other
account related questions.

But again ut would depend on what a company is collecting and processing.

Hope this helps.

Maria M - CIPP/E

hookrook · ‎06-28-2018

Thanks for your reply @Akirin00

This is for everyone...

We are receiving requests (quite possibly from https://www.deseat.me/) from people who are not users in our system. There are though other systems where we keep people's information. For example, Mailchimp - where people's name and email is kept if they signed up to to our newsletter on our website without actually signing up for our service.

For someone like this - who is not a user of our system, has never agreed to the terms of service of our application, but has signed up to receive email, would you still somehow verify them before removing them form mailing lists?

Akirin00 · ‎06-28-2018

We get those too from deseat. In our case i think if they come from the
email address that is registered to receive our marketing emails it should
be considered verified.

Would be good to hear other opinions though.

Maria M - CIPP/E

someone · ‎06-28-2018

Isn't there a requirement to keep the data in case of dispute of the purchase?

Barry_M · ‎06-28-2018

You have two routes.Both are valid.
1) Respond and ask for identification.If they don't reply you can ignore it. The ICO website tells us if you have doubts as to who they are, that you can "request information that is necessary to confirm who they are"
2) Treat this like most people treat marketing removal requests and don't verify with ID and remove them from your list(like an unsubscribe link on an email) You can then inform them they have been removed and that they can always opt back in.
It's your choice. We are going down the option 2 route as generally we feel this is safer.

⁣Sent from BlueMail

Akirin00 · ‎06-28-2018

Agree on both points Barry. For marketing emails it absolutely makes sense
if it is just unsubscribe i think.

Maria M - CIPP/E

Barry_M · ‎06-28-2018

That is another scenario altogether. My last comment was in relation to marketing.If you have a transaction associated with the pi them you need to keep the pi for 6 years as per the company's act.

⁣Sent from BlueMail

Del · ‎06-28-2018

We're treating the "deseat.me" requests as unsubscribe requests too.

None of the ones we've seen yet have come from actual paying customers of the service ... but we still have to check, which takes a little time ... I need to automate that process. Until then I'm reluctant to spend even more time on "verifying" these requests and having back & forth conversations with people who really just want to unsubscribe from marketing campaigns.

I'd like to think that paying customers are smart enough to know that we can't "forget" their commercial transactions with us ... but we'll see 🙂

Barry_M · ‎06-28-2018

Most of our requests from deseat.me have subscribed to our marketing. The deseat program appears to check subscriptions somehow.

⁣Sent from BlueMail

Akirin00 · ‎06-28-2018

I am not sure you can work on assumption here. Wherever the request comes
from it is still clearly asks you to delete them. So in that case you need
to try and verify and act on that.

Also, whatever you devide you need to keep you need to state on your
deletion confirmation along with the retention period criteria and the
legal basis.

Maria M - CIPP/E

Anyone else seeing "Data Removal Request" mailshots?