Their reply to my request to delete my data:
Thank you for your email requesting your right to be forgotten.
In order for us to carry out this request, we require proof of ID to ensure we only action requests made by the genuine owner of this email account. Acceptable forms of identification are,
- Recent utility bill from the last 3 months (e.g. Gas, Electric)
- Valid drivers License
- TV License within the last 12 months
- Council Tax Letter within the last 12 months
- Title Deeds
That’s wild.
Tangentially, fuck a TV license.
It is, had a proper look and also definitely not what they’re meant to be doing:
https://ico.org.uk/for-the-public/your-right-to-get-your-data-deleted/#:~:text=The%20organisation%20should%20delete%20your,impossible%20or%20involve%20disproportionate%20effort.
I replied saying no, and told them again to delete my data.
i guess it’s related to the following; exercising your rights under gdpr requires the other party to be able to identify you. that’s why they need this information. if you want to (potentially) fuck with them: first ask for a listing of all the information they have about you, before asking for deleting your data. this listing must contain the request itself. if your request is missing, they are likely breaking compliance rules.
first ask for a listing of all the information they have about you, before asking for deleting your data. this listing must contain the request itself. if your request is missing, they are likely breaking compliance rules.
I’m not quite understanding, do you mind breaking that down for me?
1.) Ask for a listing of all the information they have about you.
2.) If your aforementioned Deletion request (see title) is missing from that list, they are likely breaking compliance rules.
3.) …
4.) Profit!
Thanks that’s more clear, but will they not just ask for an ID again before they’d agree to send that info?
i doubt there is profit to be made. it’s more to keep them busy and learning about gdpr.
one of your rights under gdpr is that you are entitled (free of charge) to a listing of all the data the other party has about you.
when you ask them about this listing this request itself becomes data the party has about you. it should therefore he included in the listing. (it is self referential, but that’s how it is).
if the information that you requested such a listing is missing from the data they provide in response to you request, they are in breach of gdpr rules. from them on you might want to file a complaint.
( I’ve no idea whether this would result in any meaningful compensation, if at all. but at least it should keep them busy.)
Their reply:
The reason that we ask for ID is to safeguard your personal data by verifying that the request is genuine before proceeding with deleting your personal data. This process is consistent with guidance published by the Information Commissioner’s Office. (https://ico.org.uk/your-data-matters/your-right-to-get-your-data-deleted/)
The purpose of this process is to prevent someone unauthorised from requesting deletion of your data, for example where there are shared email addresses, or someone has access to your account or email address, or where someone is spoofing your email address. Please see our Privacy Policy (xxxxxx) for more information about personal data we collect store and process.
Please be assured that when you send ID to our dedicated ID email address, this is automatically and permanently deleted from our systems within 7 days. We do not continue to store or process your ID beyond this time or use it for any other purpose other than to verify your identity to action your erasure request.
If you would prefer not to send ID via email, you can post copies to our address and upon receipt from our team we will then securely dispose of the copies. Please send these to:
Data Protection Team,
xxxx
xxx
xx
I hope the above explains our rationale and allays any concerns you may have. If you have any further questions please do not hesitate to ask.
Considering the information I’m asking them to delete, yes.
Yup, pretty normal.
