Fight For Privacy

294 readers

1 users here now

Fight For Privacy

A community to post, discuss and fight for our privacy.

Post Title Rule

Tag what the post is:

[DISCUSSION]
[CH], [etc.], : Article (tag the country, if not country specific use [ARTICLE])
[SEARCHING]: Searching for people/activists
[GUIDE]: Guide or how to
[UPDATE]: Moderator update for community

Post examples

[EU] - Title of the link/post
[DISCUSSION] - Privacy ...
[SEARCHING] - Referendum ...

Language: English

Rules

Keep the topic on privacy
Be respectful and tolerant
When posting link use tools like CleanURL to get rid of trackers
When posting numbers or statements, you need to link the source
Promotion of products/brands are forbidden
Politics not regarding privacy is forbidden, keep it on laws/decisions that concern privacy
If possible post Invidious links instead of YouTube

[email protected]

founded 1 year ago

MODERATORS

[email protected]

[EU] (GDPR) Data controller refuses to honor requests unless an ID card is supplied - IN COLOR (links.hackliberty.org)

submitted 9 months ago* (last edited 9 months ago) by [email protected] to c/[email protected]

1 comments fedilink hide all child comments

cross-posted from: https://links.hackliberty.org/post/435505

A data controller responded to a #GDPR request under art.15 & 17 (thus, an access request coupled with erasure request). They responded with a refusal, demanding ID card. They probably demanded it be in color, but I responded with a black and white copy of my ID. They refused again, affirming that the ID card must be in color. So then I sent them a color copy, but I used black boxes to redact my facial image and all personal text except my name. They again refused to honor my request, saying “zonder vlekken en met een goede resolutie om te worden geaccepteerd”. That translates into “without spots or stains”, correct? I don’t think that means without redactions.

Anyway, I would like a GDPR expert to confirm or deny whether the controller’s refusal and demands are lawful.

The relevant GDPR text is:

https://gdpr-text.com/read/recital-64/

https://gdpr-text.com/read/article-12/#para_gdpr-a-12_6

My request (via post) included my residential address and also mentioned a unique email address that only that controller knows me by (though they would not necessarily know it’s unique). Shouldn’t that be sufficient?

UPDATE

This abstract covers some of my questions. Indeed redactions on the ID card are allowed when making requests.

top 1 comments

sorted by: hot top controversial new old

[–] cosmicrookie 5 points 9 months ago

I'd just reply to the data controller that you will be needing the following information to file a complaint with your local data authorities

Official company name Restoration adresse Registration number

Prefered means of communication (phone/letter/mail)

This usually does the trick for me. Also mention that you have repeatedly requested your data to be deleted and will gladly verify your account using email but are not willing to give them even more sensitive information than the ones you're asking them to delete.