this post was submitted on 17 Nov 2023
61 points (96.9% liked)

Privacy

31253 readers
630 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 4 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
61
Was forced to use a third party to fill a rental application. The application failed and now they're demanding significantly more sensitive information than what I ever provided before they'll comply. (kbin.social)
submitted 10 months ago by [email protected] to c/[email protected]
24 comments fedilink hide all child comments
 

Their reply to my request to delete my data:

Thank you for your email requesting your right to be forgotten.

In order for us to carry out this request, we require proof of ID to ensure we only action requests made by the genuine owner of this email account. Acceptable forms of identification are,

  • Recent utility bill from the last 3 months (e.g. Gas, Electric)
  • Valid drivers License
  • TV License within the last 12 months
  • Council Tax Letter within the last 12 months
  • Title Deeds
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 48 points 10 months ago (1 children)

i guess it's related to the following; exercising your rights under gdpr requires the other party to be able to identify you. that's why they need this information. if you want to (potentially) fuck with them: first ask for a listing of all the information they have about you, before asking for deleting your data. this listing must contain the request itself. if your request is missing, they are likely breaking compliance rules.

[–] [email protected] 17 points 10 months ago (3 children)

first ask for a listing of all the information they have about you, before asking for deleting your data. this listing must contain the request itself. if your request is missing, they are likely breaking compliance rules.

I'm not quite understanding, do you mind breaking that down for me?

[–] [email protected] 20 points 10 months ago (1 children)

one of your rights under gdpr is that you are entitled (free of charge) to a listing of all the data the other party has about you.

when you ask them about this listing this request itself becomes data the party has about you. it should therefore he included in the listing. (it is self referential, but that's how it is).

if the information that you requested such a listing is missing from the data they provide in response to you request, they are in breach of gdpr rules. from them on you might want to file a complaint.

( I've no idea whether this would result in any meaningful compensation, if at all. but at least it should keep them busy.)

[–] [email protected] 8 points 10 months ago

Thanks for clearing that up, definitely not looking for compensation or anything, just for my request for deletion to be respected, but adding something like that to a complaint would definitely help. Thanks!

[–] [email protected] 5 points 10 months ago (2 children)

1.) Ask for a listing of all the information they have about you.

2.) If your aforementioned Deletion request (see title) is missing from that list, they are likely breaking compliance rules.

3.) ...

4.) Profit!

[–] [email protected] 3 points 10 months ago (1 children)

Thanks that's more clear, but will they not just ask for an ID again before they'd agree to send that info?

[–] [email protected] 3 points 10 months ago (1 children)

they they need to id you everytime you exercise your gdpr rights. there is nothing they can do about this.

[–] [email protected] 3 points 10 months ago (1 children)

That's just not true, I've put through a ton of requests in the past, for companies that had much more sensitive data (like payment details) and have never been asked for ID.

[–] [email protected] 4 points 10 months ago (1 children)

they need to identify you, not necessarily using your id card.

https://eur-lex.europa.eu/eli/reg/2016/679/oj#d1e2161-1-1

chapter 3, section 1, artcle 12, paragraphs 1 & 2.

[–] [email protected] 5 points 10 months ago* (last edited 10 months ago)

Which they can by asking me to confirm who I am from the information they already have, the whole point is that they're demanding I provide additional documentation to prove my identity, which is complete overkill* and something that I have never come across, and shouldn't have to comply with.

But either way, if they need my ID before they'll provide my info, asking for it to try and catch them on a mistake only to be met by the same barrier (them demanding ID), it isn't going to work..

*(I can't deal with that document you linked right now, but the relevant governing body here (ICO) say "The organisation might need you to prove your identity. However, they should only ask you for just enough information to be sure you are the right person."

[–] [email protected] -1 points 10 months ago (1 children)

i doubt there is profit to be made. it's more to keep them busy and learning about gdpr.

[–] [email protected] 2 points 10 months ago

The "profit" bit is just an old joke. Originally from South Park.

https://knowyourmeme.com/memes/profit

[–] [email protected] 5 points 10 months ago (1 children)

The norms say after you requests it, they have 30 days to send you a successful deletion of your data or request done. After your request they have 30 days, I didn't read anything about "validate" it's you. Only 30 days to successfully delete it, and that is how it went when I did request it.

[–] [email protected] 4 points 10 months ago* (last edited 10 months ago)

Yeah, this is how it's always gone for me before, which is why I'm so taken aback by this company's demand..