Was forced to use a third party to fill a rental application. The application failed and now they're demanding significantly more sensitive information than what I ever provided before they'll comply. - eviltoast

Their reply to my request to delete my data:

Thank you for your email requesting your right to be forgotten.

In order for us to carry out this request, we require proof of ID to ensure we only action requests made by the genuine owner of this email account. Acceptable forms of identification are,

  • Recent utility bill from the last 3 months (e.g. Gas, Electric)
  • Valid drivers License
  • TV License within the last 12 months
  • Council Tax Letter within the last 12 months
  • Title Deeds
  • drre@feddit.de
    link
    fedilink
    arrow-up
    45
    ·
    1 year ago

    i guess it’s related to the following; exercising your rights under gdpr requires the other party to be able to identify you. that’s why they need this information. if you want to (potentially) fuck with them: first ask for a listing of all the information they have about you, before asking for deleting your data. this listing must contain the request itself. if your request is missing, they are likely breaking compliance rules.

    • AdvicePleaseThankyou@kbin.socialOP
      link
      fedilink
      arrow-up
      16
      ·
      1 year ago

      first ask for a listing of all the information they have about you, before asking for deleting your data. this listing must contain the request itself. if your request is missing, they are likely breaking compliance rules.

      I’m not quite understanding, do you mind breaking that down for me?

      • drre@feddit.de
        link
        fedilink
        arrow-up
        19
        ·
        1 year ago

        one of your rights under gdpr is that you are entitled (free of charge) to a listing of all the data the other party has about you.

        when you ask them about this listing this request itself becomes data the party has about you. it should therefore he included in the listing. (it is self referential, but that’s how it is).

        if the information that you requested such a listing is missing from the data they provide in response to you request, they are in breach of gdpr rules. from them on you might want to file a complaint.

        ( I’ve no idea whether this would result in any meaningful compensation, if at all. but at least it should keep them busy.)

        • AdvicePleaseThankyou@kbin.socialOP
          link
          fedilink
          arrow-up
          8
          ·
          1 year ago

          Thanks for clearing that up, definitely not looking for compensation or anything, just for my request for deletion to be respected, but adding something like that to a complaint would definitely help. Thanks!

      • Piecemakers@lemmy.world
        link
        fedilink
        English
        arrow-up
        5
        arrow-down
        1
        ·
        1 year ago

        1.) Ask for a listing of all the information they have about you.

        2.) If your aforementioned Deletion request (see title) is missing from that list, they are likely breaking compliance rules.

        3.) …

        4.) Profit!

          • drre@feddit.de
            link
            fedilink
            arrow-up
            2
            ·
            1 year ago

            they they need to id you everytime you exercise your gdpr rights. there is nothing they can do about this.

            • AdvicePleaseThankyou@kbin.socialOP
              link
              fedilink
              arrow-up
              5
              arrow-down
              2
              ·
              1 year ago

              That’s just not true, I’ve put through a ton of requests in the past, for companies that had much more sensitive data (like payment details) and have never been asked for ID.

                • AdvicePleaseThankyou@kbin.socialOP
                  link
                  fedilink
                  arrow-up
                  5
                  ·
                  edit-2
                  1 year ago

                  Which they can by asking me to confirm who I am from the information they already have, the whole point is that they’re demanding I provide additional documentation to prove my identity, which is complete overkill* and something that I have never come across, and shouldn’t have to comply with.

                  But either way, if they need my ID before they’ll provide my info, asking for it to try and catch them on a mistake only to be met by the same barrier (them demanding ID), it isn’t going to work…

                  *(My brain can’t deal with that document you linked right now, but the relevant governing body here (ICO) say “The organisation might need you to prove your identity. However, they should only ask you for just enough information to be sure you are the right person.”

        • drre@feddit.de
          link
          fedilink
          arrow-up
          1
          arrow-down
          2
          ·
          1 year ago

          i doubt there is profit to be made. it’s more to keep them busy and learning about gdpr.

  • Name@programming.dev
    link
    fedilink
    arrow-up
    9
    ·
    edit-2
    1 year ago

    Most companies I’ve sent data deletion request just do it, but when they start to argue I just hit them with most ridiculous bullshit while acting like the most privileged bitch until they do it my way.

    Try saying no, see what happens.
    Fearmongering, gaslighting, lawful threats, technical jargon and the word ‘rape’ are your friend.


    Just recently when requesting GDPR data deletion from UK-based company they also wanted to confirm my identity, hell they will.

    I hit them with the fact that a person controlling the e-mail address can use their ‘Forgot password’ feature to take control over the account and access my sensitive data they’re in possession of or steal my identity using their own services. I also not so kindly suggested that I’ll report them so their security practices are investigated for the safety of their customers.

    …they deleted the data without any further questions.

    PS. Not sure about UK laws, but for GDPR: Always request confirmation of the deletion and the detailed steps they’ve taken to ensuring your data has been properly erased. They’re obligated to tell you that upon request.

    • AdvicePleaseThankyou@kbin.socialOP
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      I hit them with the fact that a person controlling the e-mail address can use their ‘Forgot password’ feature to take control over the account and access my sensitive data they’re in possession of or steal my identity using their own services.

      this was their excuse to why they won’t delete my info without proof of ID.
      I told them no, I told them that if my bank or phone provider or online grocer who all have much more important and sensitive info, namely my payment/bank details, can verify me without extra documentation, so can they, they still said no.

      So I’ve filled a complaint with the ICO, there’s fuck all else I can do unfortunately…

  • AdvicePleaseThankyou@kbin.socialOP
    link
    fedilink
    arrow-up
    9
    ·
    1 year ago

    Their reply:

    The reason that we ask for ID is to safeguard your personal data by verifying that the request is genuine before proceeding with deleting your personal data. This process is consistent with guidance published by the Information Commissioner’s Office. (https://ico.org.uk/your-data-matters/your-right-to-get-your-data-deleted/)

    The purpose of this process is to prevent someone unauthorised from requesting deletion of your data, for example where there are shared email addresses, or someone has access to your account or email address, or where someone is spoofing your email address. Please see our Privacy Policy (xxxxxx) for more information about personal data we collect store and process.

    Please be assured that when you send ID to our dedicated ID email address, this is automatically and permanently deleted from our systems within 7 days. We do not continue to store or process your ID beyond this time or use it for any other purpose other than to verify your identity to action your erasure request.

    If you would prefer not to send ID via email, you can post copies to our address and upon receipt from our team we will then securely dispose of the copies. Please send these to:
    Data Protection Team,
    xxxx
    xxx
    xx

    I hope the above explains our rationale and allays any concerns you may have. If you have any further questions please do not hesitate to ask.

  • asudox@lemmy.world
    link
    fedilink
    arrow-up
    3
    ·
    1 year ago

    European Data Protection Board, “Guidelines 01/2022 on data subject rights - Right of access”, Version 1.0, para. 73

    • AdvicePleaseThankyou@kbin.socialOP
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      Took me a minute to find, but that’s really great info, thanks!

      I’ve already filled a complaint with the ICO since the company continued to refuse to delete my data, so we’ll see what they come back with (their own guidelines say something very similar - “they should only ask you for just enough information to be sure you are the right person”) if they side with the company I will definitely be quoting these guidelines.