Question about GDPR
I am in the EU.
I asked a company in which I had an account to delete my account. They told me they would do that as long as I sent them an ID and a postal address. This is to ensure that "I am the right person".
I never gave them an ID and a postal address in the first place so how would that verify anything, and I'm using the email that I used to sign-up with them to ask for the deletion.
Am I in the wrong to believe that this should be easier? Are they misinterpreting the GDPR or am I?
What are my options if I do not want to send my ID and postal address?
--
Their arguments are:
Article 5(1)(f) of the GDPR requires us to meet security obligations in data processing. Since data deletion is permanent, we need to ensure that the request is indeed from the person concerned.
Furthermore, Article 12(6) of the GDPR states: "…when the data controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, he may request the provision of additional information necessary to confirm the identity of the data subject."
From what I read, no they cannot require ID as it isn't reasonable to provide personal info they don't have. Some companies have already been fined for this.
European Data Protection Board news article "Dutch SA fines DPG Media Magazines for unnecessarily requesting copies of identity documents": https://edpb.europa.eu/news/national-news/2022/dutch-sa-fines-dpg-media-magazines-unnecessarily-requesting-copies-identity_en
Depends on how big a deal this service usually plays in users' lives? Like, if the service is so important as to require ID and postal adress to sign up, but then someone grabs your unlocked phone and nukes your account in 2 minutes, that's a bit sloppy on the part of the service, particularly if that can lead to bad things for the user. If they required that info on signup, I'm inclined to say this is not too insane of their part, particularly if that is their continued practice under GDPR.
Edit: A possible counterargument could be if you can authenticate yourself using less invasive means, e.g. because you can log into your account, and logging into the account could be used to do comparable harm to you as just deleting it.
Also, IANAL.
Yeah, as I said I never gave them such documents when I signed up. So I don't even understand how they could verify that the owner of the documents I provide during the GDPR request is the owner of the account.
Ooooh, I misread. I thought you had provided that exact info upon signup, so they could verify them as correct, but since they're in your account they can also just be pulled by someone else with access to your account.
In that case, I'd consider this a good bit more as stonewalling than my original comment. If it's not helpful in verifying your identity (is it? Did you register with your name as listed on ID?), I'd argue that it can't possibly be necessary to verify your identity.
Again, whether these steps are necessary or appropriate IMO probably depends on the nature of the service. An account like on tildes? Grossly overkill. An account that you do serious realworld business with, like renting cars or buying expensive goods? More likely to be appropriate.
Depending on how feisty I'd be feeling, I'd either just provide the info or make a stink. I doubt they'd use the info for non-intended purposes, that'd give you ammo to cause a very huge stink, so that path is probably fine. As for making a stink, in my country (DE) there's data protection officers that might be pissed if the company pulls anti-GDPR nonsense, and they have a more impressive letterhead than you do.
Thank you! I found their CEO's email but I think that your suggestion of contacting my country's data protection officers might be better, so I will do that for now. I found the agency in France which deals with this BS and have written them a letter detailing what has happened.
For more context, this account was with a consulting company with career coaches. I made a consultation with them last year (more than six months ago) and have never used my account since. So I think this might fall under "grossly overkill". Most people would have forgotten that they consulted a career coach by now, let alone get upset that their account was randomly deleted. But who knows, maybe I'm not most people.
I'd ask authorities. You probably have some kind of service/office in your country that may help you with such question.
I would start just with question and then write to that company that you spoke to authorities and they said to you this-and-that and the company should delete the acount without the need for ID (which I presume would be the case). The mention of authorities should stop them from making false/misinterpreted claims. If they just understood it badly, they will step back and cooperate. If they think they are right, then you can likely report them to the authorities (I would begood guy and try to resolve it, but reporting is still a possibility and probably last resort).
I'm in the US but have to comply with GDPR for certain data. As Vektor said part of it may be safeguarding against fraudulent requests. A second reason might be presenting a step in order to limit the number of requests they actually respond to. It isn't in the spirit of the law but I could see that happening.
Not everyone has great infrastructure to accommodate these as the laws around it are very clear that the cleansing must be thorough. The only footprint your data is allowed leave is aggregate anonymized data. If their processes are lacking it might mean a lot of work that they are trying to avoid.