A few days ago I sent a GDPR request to some company to delete my personal data. They said to install their app and send a ticket from the app. The email was sent from the email address to which the account is registered. Is this even legal?
Name and shame the company
It is not legal. Please report it to your local Data Protection Authority (DPA).
Something along the lines of “I contacted X for a GDPR request via email, using the address associated with my user account. Their answer is requiring me to install their app, and agree to several new legally binding ToSes in the process.”
Edit: due to the recent renaming of a certain (less and less) popular app, I need to add a disclaimer: I meant “X” as a variable to substitute, not as a verbatim name… Although I would not be surprised if it were the “X social platform, formerly known as twitter” (AKA “XSPFKT”) we are talking about.
Man, Elon really does ruin everything. Can’t even use X as a variable anymore without a disclaimer.
It’s causing hell of problems to mathematicians worldwide.
Suddenly, every math formula ever written is subject to copyright and royalties.
They are left asking Y.
Fuck that, I refuse to give him the letter. He can pry it from my cold dead hands as he chokes on my liver!
How about using a programmer style variables like badCompanyName. You don’t have to be a mathematician. Sure, I can totally appreciate concise names, but some times you have to use longer names to avoid collisions.
I prefer [insertconpanynamehere] but in this case name and shame almost seems more appropriate.
Csmel case isn’t POSIX complaint. Underscores ftw /s
It is an ex-social-platform. It is now a pile of garbage.
It was always a pile of garbage…
This is why I always call it twitter. X is a variable
No. They are obligated to obey the law as written. They don’t get to create conditions.
GDPR clearly states you can contact any part of the organisation with your request. You can make your request verbally or in writing and they must acknowledge it. They can’t refuse and make you use their app.
For fun send them a Subject Access Request and if they don’t acknowledge it, report them to the ICO (if you’re in the UK)
I had this before, though not through a direct communication. Someone had gotten my email credentials somehow and installed a company’s app and made an account. When I went through the support pages on the company’s site to find out how to delete the account the only listed way was through the app itself.
They were accommodating and helpful when I emailed the company about it though. I just told them that I can’t agree to the privacy policy and thus cannot install the app but still need the account to be deleted. They did it.
I had a simmilar situation with Nicehash (crypto shit company), but I had 2fa enabled and just wanted to unsubscribe from useless newsletters. They asked for a photo of me holding a paper with my personal information. Still didnt solve that, but some comments here might help, following
They were very friendly imo. No need to speak legalese or to be rude.
Just tell them that you can’t or don’t want to install the app.
If they don’t help you, then you proceed to remind them that you are not required to install anything for them to comply with GDPR.
It’s the bare minimum of friendliness expected in customer care. Most likely a macro which is normal with these kind of requests.
Removed by mod
It is absolutely not
It’s way too easy to spoof email “from” addresses.
There should be a way to do it through their website though. Requiring an app is just stupid.
They literally replied to his registered email and he has the reply. That would indicate that he has at least access to the account. So with OP’s next email quoting the reply ownership over the associated email address should be reasonably established.
That would indicate that
hesomeone has at least access to the account.
eBay does this too. They told me they can’t access my data to delete it, that I have to log in with their website or app and send information to just get my data, let alone have it deleted.
Doesn’t ebay delete the account after certain amount of inactivity? Just let it lapse then?
Don’t think so. I haven’t been able to login to my ebay account for 10+ years, still get emails.
Doubtful - I leave my account for years at a time between logins, and it’s still active (have had the account since 2002 or so, and have had at least a 10 year span without any use).
No, it’s not at all legal for the company to do this. Reply and remind them they have one calendar month to comply from the date of your original request, otherwise you will make a complaint to which ever information regulator is correct for the juridiction they’re operating in.
I’m a lawyer specialising in Data Privacy, reply here if you need more help on this one.
Also feel free to name the company.
Fuck them and bless u lol
For now, I do not want to announce the name of this company publicly.
If they don’t want to solve it amicably, then I will do so.
They already said they don’t want to.
They asked you to install the app on purpose, in hopes that you’ll decide it’s too much hassle and decide not to delete the account.
How do you know this?
My first thought was “they probably want to ensure they are who they say they are and so want an authenticated request” - while that’s against GDPR, not everyone is as educated as they should be, and not every mistake is a nefarious activity.
There’s no reason an app should be more trustworthy than the email.
It’s pretty standard for scummy companies to make the process as annoying as possible.
Why not? That’s so weird…
Think of the poor corporation! If they get punished for their illegal buisness practices, it’ll hurt the economy and people will be less inclined to start a small buisness. Didn’t you study piss down economics?
Time to speak corporate to them. Write out a GDPR removal demand letter. And mail it to them certified or whatever corporate mail does in your local jurisdiction.
Name & shame.
I like how they end it with “greetings”
I don’t know, maybe? If they have a process, no matter how laborious and roundabout, they can always claim that they have a process and that you have nothing to complain about, legally speaking. Their wagering that people will not go through all the bullshit, and they’re unfortunately right. That’s literally why they do it. The only correct response is to hound them relentlessly, going to Twitter (or something else idk these days, and I’m not calling it X), the press if necessary, and pestering as many government bodies and officials as you have to in order to make them get their fucking shit together. And then they’ll make your particular situation of priority because now you’re being more of a pain in the ass than actually doing their job is. They won’t change the broken system, because one exception in a thousand isn’t worth it to them to be bothered with.
Tldr, maybe but it probably won’t help you, so make it as big of a headache for them as possible.
They don’t get to make it harder to cancel than to sign up
