A few days ago I sent a GDPR request to some company to delete my personal data. They said to install their app and send a ticket from the app. The email was sent from the email address to which the account is registered. Is this even legal?

  • _TheNardDog_@lemmy.world
    link
    fedilink
    English
    arrow-up
    324
    ·
    edit-2
    1 year ago

    No, it’s not at all legal for the company to do this. Reply and remind them they have one calendar month to comply from the date of your original request, otherwise you will make a complaint to which ever information regulator is correct for the juridiction they’re operating in.

    I’m a lawyer specialising in Data Privacy, reply here if you need more help on this one.

    Also feel free to name the company.

    • My Password Is 1234@lemmy.worldOP
      link
      fedilink
      arrow-up
      74
      arrow-down
      43
      ·
      edit-2
      1 year ago

      For now, I do not want to announce the name of this company publicly.

      If they don’t want to solve it amicably, then I will do so.

      • sanpo@sopuli.xyz
        link
        fedilink
        arrow-up
        132
        arrow-down
        1
        ·
        1 year ago

        They already said they don’t want to.

        They asked you to install the app on purpose, in hopes that you’ll decide it’s too much hassle and decide not to delete the account.

        • el_abuelo@lemmy.ml
          link
          fedilink
          arrow-up
          4
          arrow-down
          11
          ·
          1 year ago

          How do you know this?

          My first thought was “they probably want to ensure they are who they say they are and so want an authenticated request” - while that’s against GDPR, not everyone is as educated as they should be, and not every mistake is a nefarious activity.

          • sanpo@sopuli.xyz
            link
            fedilink
            arrow-up
            28
            arrow-down
            1
            ·
            1 year ago

            There’s no reason an app should be more trustworthy than the email.
            It’s pretty standard for scummy companies to make the process as annoying as possible.

      • fmstrat@lemmy.nowsci.com
        link
        fedilink
        English
        arrow-up
        51
        ·
        1 year ago

        This is a bad decision, IMO. They may fix it for you, but then you’ve lost the opportunity to assist everyone who comes after you.

        You posted asking the public for help. Please return the favor and report them, as you are legally supposed to do.

        • Scubus@sh.itjust.works
          link
          fedilink
          arrow-up
          67
          arrow-down
          2
          ·
          1 year ago

          Think of the poor corporation! If they get punished for their illegal buisness practices, it’ll hurt the economy and people will be less inclined to start a small buisness. Didn’t you study piss down economics?

      • Rodeo@lemmy.ca
        link
        fedilink
        arrow-up
        25
        arrow-down
        6
        ·
        1 year ago

        Must be something that makes you look bad lol

        Otherwise you’d just say it. You owe them nothing and they’ve broken the fuckin law and you’re protecting them? What do they have on you?

        • lastweakness@lemmy.world
          link
          fedilink
          arrow-up
          21
          arrow-down
          3
          ·
          1 year ago

          Or maybe they just want to disclose as little of their personal information, including services relied on, on an open platform like this. Idk if that’s the case, but playing devil’s advocate here

            • Roboticide@lemmy.world
              link
              fedilink
              arrow-up
              12
              ·
              1 year ago

              Why should they not? They posted an inquiry, looking for advice. That is their reason for posting.

              They do not owe personal information beyond what is required to answer the question. And typically, with regards to anything resembling a legal matter, the less information posted publicly, the better.

          • Rodeo@lemmy.ca
            link
            fedilink
            arrow-up
            1
            arrow-down
            8
            ·
            1 year ago

            Personal information like the name of a company they bought something from?

            Please

    • miss_brainfart@lemmy.ml
      link
      fedilink
      arrow-up
      9
      ·
      edit-2
      1 year ago

      That reminds me, I might have to put in a formal complaint for a somewhat similar matter.

      Bought concert cards years ago, and was never able to unsubsribe from the newsletter. I sent requests to every mail address I could find, and never even got a response. Still got newsletters every now and then though.

      They also just make it unnecessarily hard to contact them, so at this point I’m not sure my messages even reached them, which hopefully is what explains their failure to comply.

      • Natanael@slrpnk.net
        link
        fedilink
        arrow-up
        2
        ·
        1 year ago

        Depending on country there’s probably some regulator office which you can send a complaint to

        • miss_brainfart@lemmy.ml
          link
          fedilink
          arrow-up
          2
          ·
          1 year ago

          France in that case, so that would go to the CNIL. Though they want people to make an account to put in complaints online.

    • ram@bookwormstory.social
      link
      fedilink
      English
      arrow-up
      10
      arrow-down
      4
      ·
      1 year ago

      Genuine question: Aren’t you supposed to say “this is not legal advice?” if you identify yourself as a lawyer but you’re not their legal council? Or am I mistaken?

  • 7heo@lemmy.ml
    link
    fedilink
    arrow-up
    228
    ·
    edit-2
    1 year ago

    It is not legal. Please report it to your local Data Protection Authority (DPA).

    Something along the lines of “I contacted X for a GDPR request via email, using the address associated with my user account. Their answer is requiring me to install their app, and agree to several new legally binding ToSes in the process.”

    Edit: due to the recent renaming of a certain (less and less) popular app, I need to add a disclaimer: I meant “X” as a variable to substitute, not as a verbatim name… Although I would not be surprised if it were the “X social platform, formerly known as twitter” (AKA “XSPFKT”) we are talking about.

    • Nelots@lemm.ee
      link
      fedilink
      English
      arrow-up
      78
      arrow-down
      1
      ·
      1 year ago

      Man, Elon really does ruin everything. Can’t even use X as a variable anymore without a disclaimer.

      • meseek #2982@lemmy.ca
        link
        fedilink
        arrow-up
        5
        ·
        1 year ago

        Fuck that, I refuse to give him the letter. He can pry it from my cold dead hands as he chokes on my liver!

      • Hamartiogonic@sopuli.xyz
        link
        fedilink
        arrow-up
        2
        arrow-down
        1
        ·
        edit-2
        1 year ago

        How about using a programmer style variables like badCompanyName. You don’t have to be a mathematician. Sure, I can totally appreciate concise names, but some times you have to use longer names to avoid collisions.

        • Thisfox@sopuli.xyz
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          I prefer [insertconpanynamehere] but in this case name and shame almost seems more appropriate.

  • cosmicrookie@lemmy.world
    link
    fedilink
    arrow-up
    63
    ·
    1 year ago

    Simply ask for the official company name, registration number and country as well as the prereree means of communication that they would like your local data authorities to contact them on.

    Also make a 1 star review, stating that you are in talks with your local gdpr authorities about their way of handling privacy.

    This worked for me last time a company asked me to download an app to delete my account

  • Jimmycrackcrack@lemmy.ml
    link
    fedilink
    arrow-up
    58
    ·
    edit-2
    1 year ago

    I had this before, though not through a direct communication. Someone had gotten my email credentials somehow and installed a company’s app and made an account. When I went through the support pages on the company’s site to find out how to delete the account the only listed way was through the app itself.

    They were accommodating and helpful when I emailed the company about it though. I just told them that I can’t agree to the privacy policy and thus cannot install the app but still need the account to be deleted. They did it.

  • vsis@feddit.cl
    link
    fedilink
    English
    arrow-up
    58
    arrow-down
    34
    ·
    1 year ago

    They were very friendly imo. No need to speak legalese or to be rude.

    Just tell them that you can’t or don’t want to install the app.

    If they don’t help you, then you proceed to remind them that you are not required to install anything for them to comply with GDPR.

    • themeatbridge@lemmy.world
      link
      fedilink
      arrow-up
      58
      ·
      1 year ago

      Being friendly doesn’t negate the fact that they are out of compliance with the law. Even sending a second email to insist they delete your data is an undue burden.

      • el_abuelo@lemmy.ml
        link
        fedilink
        arrow-up
        11
        arrow-down
        4
        ·
        1 year ago

        You’re right, but sometimes a bit of undue courtesy repays in dividends. Not every minor infraction is nefarious and not every minor infraction deserves reporting. A simple courteous reminder of their obligations may save both parties some undue hassle.

        I can imagine this company doing this to ensure only authenticated users can have their data removed. There are other ways…but this was probably what they considered reasonable and painless for all, admittedly they (wrongly) didn’t consider the audience of this community in that decision.

        • Rodeo@lemmy.ca
          link
          fedilink
          arrow-up
          13
          ·
          1 year ago

          A simple courteous reminder of their obligations may save both parties some undue hassle.

          Actually, the customer is already getting undue hassle, while the company is just breaking the law. Why can’t we just expect better?

          • vsis@feddit.cl
            link
            fedilink
            English
            arrow-up
            3
            arrow-down
            11
            ·
            1 year ago

            Nobody broke the law lol.

            I believe they have like a month to comply.

            The just asked for a ticket in the app, to make their lifes easier. If OP doesn’t want to, they still have to comply though.

            Now I remember why I hate working directly with customers.

    • Draedron@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      51
      ·
      1 year ago

      It’s the bare minimum of friendliness expected in customer care. Most likely a macro which is normal with these kind of requests.

  • jet@hackertalks.com
    link
    fedilink
    English
    arrow-up
    22
    ·
    edit-2
    1 year ago

    Time to speak corporate to them. Write out a GDPR removal demand letter. And mail it to them certified or whatever corporate mail does in your local jurisdiction.

  • SimonSaysStuff@lemmy.world
    link
    fedilink
    arrow-up
    16
    ·
    1 year ago

    GDPR clearly states you can contact any part of the organisation with your request. You can make your request verbally or in writing and they must acknowledge it. They can’t refuse and make you use their app.

    For fun send them a Subject Access Request and if they don’t acknowledge it, report them to the ICO (if you’re in the UK)

  • rambos@lemm.ee
    link
    fedilink
    arrow-up
    11
    ·
    1 year ago

    I had a simmilar situation with Nicehash (crypto shit company), but I had 2fa enabled and just wanted to unsubscribe from useless newsletters. They asked for a photo of me holding a paper with my personal information. Still didnt solve that, but some comments here might help, following

  • ElleChaise@kbin.social
    link
    fedilink
    arrow-up
    10
    ·
    edit-2
    1 year ago

    eBay does this too. They told me they can’t access my data to delete it, that I have to log in with their website or app and send information to just get my data, let alone have it deleted.

    • rengoku2@lemm.ee
      link
      fedilink
      arrow-up
      5
      ·
      1 year ago

      Doesn’t ebay delete the account after certain amount of inactivity? Just let it lapse then?

      • BearOfaTime@lemm.ee
        link
        fedilink
        arrow-up
        5
        ·
        1 year ago

        Don’t think so. I haven’t been able to login to my ebay account for 10+ years, still get emails.

      • Apathy Tree@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        Doubtful - I leave my account for years at a time between logins, and it’s still active (have had the account since 2002 or so, and have had at least a 10 year span without any use).

  • Blackmist@feddit.uk
    link
    fedilink
    English
    arrow-up
    13
    arrow-down
    4
    ·
    1 year ago

    It’s way too easy to spoof email “from” addresses.

    There should be a way to do it through their website though. Requiring an app is just stupid.

    • wido@lemmy.tf
      link
      fedilink
      English
      arrow-up
      16
      arrow-down
      1
      ·
      1 year ago

      They literally replied to his registered email and he has the reply. That would indicate that he has at least access to the account. So with OP’s next email quoting the reply ownership over the associated email address should be reasonably established.

    • My Password Is 1234@lemmy.worldOP
      link
      fedilink
      arrow-up
      10
      ·
      edit-2
      1 year ago

      Their site is just a landing page, there’s no login option or anything like that. Their business is a smartphone application.

      Edit: Gmail uses SPF, DMARC and DKIM signing so spoofing is not possible if their email services are configured properly.

      • Onioneer@sopuli.xyz
        link
        fedilink
        arrow-up
        6
        ·
        1 year ago

        SPF/DKIM/DMARC does not prevent sending the spoofed message, though. It is up to the recipient system to filter out the message should the checks fail. Even then, the message often lands into spam instead of being dropped.

        • My Password Is 1234@lemmy.worldOP
          link
          fedilink
          arrow-up
          3
          ·
          1 year ago

          Anyway they should configure their systems to reject unsigned e-mails and providers that don’t have a proper SPF configuration. SPF (Sender Policy Framework) allows you to make sure that the message was sent by an approved server and was not forged by some hackur.

          • fatalError@lemmy.sdf.org
            link
            fedilink
            arrow-up
            2
            ·
            1 year ago

            You’d be surprised how many legitimate email are sent with failed SPF. Even Microsoft sometimes doesn’t update their MX records and the SPF fails.

      • Skull giver@popplesburger.hilciferous.nl
        link
        fedilink
        arrow-up
        3
        arrow-down
        2
        ·
        1 year ago

        SPF, DMARC, and DKIM don’t work to actually verify that the message you sent is from the person it says sent it. I know it’s stupid, but DKIM has been designed more as spam protection than as email verification.

        Also, anyone with access to a Google mail server can generate valid DKIM signatures for any Google operated mail domain because of Gmail weirdness.

        While their demand to install an app just to contact them is rather stupid, they may ask you to identify yourself to verify your identity, and that request may involve sending over a picture of your ID. An email address alone isn’t enough to verify your identity, that’s why modern apps have 2FA.

        You can always ask your local DPA for guidance of to lodge a complaint, but installing the app may be the most privacy friendly way to identify yourself by proving account access.

  • Etterra@lemmy.world
    link
    fedilink
    arrow-up
    5
    arrow-down
    4
    ·
    1 year ago

    I don’t know, maybe? If they have a process, no matter how laborious and roundabout, they can always claim that they have a process and that you have nothing to complain about, legally speaking. Their wagering that people will not go through all the bullshit, and they’re unfortunately right. That’s literally why they do it. The only correct response is to hound them relentlessly, going to Twitter (or something else idk these days, and I’m not calling it X), the press if necessary, and pestering as many government bodies and officials as you have to in order to make them get their fucking shit together. And then they’ll make your particular situation of priority because now you’re being more of a pain in the ass than actually doing their job is. They won’t change the broken system, because one exception in a thousand isn’t worth it to them to be bothered with.

    Tldr, maybe but it probably won’t help you, so make it as big of a headache for them as possible.