A few days ago I sent a GDPR request to some company to delete my personal data. They said to install their app and send a ticket from the app. The email was sent from the email address to which the account is registered. Is this even legal?

  • Skull giver@popplesburger.hilciferous.nl
    link
    fedilink
    arrow-up
    3
    arrow-down
    2
    ·
    1 year ago

    SPF, DMARC, and DKIM don’t work to actually verify that the message you sent is from the person it says sent it. I know it’s stupid, but DKIM has been designed more as spam protection than as email verification.

    Also, anyone with access to a Google mail server can generate valid DKIM signatures for any Google operated mail domain because of Gmail weirdness.

    While their demand to install an app just to contact them is rather stupid, they may ask you to identify yourself to verify your identity, and that request may involve sending over a picture of your ID. An email address alone isn’t enough to verify your identity, that’s why modern apps have 2FA.

    You can always ask your local DPA for guidance of to lodge a complaint, but installing the app may be the most privacy friendly way to identify yourself by proving account access.