• dan@lemm.eeOP
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 year ago

    Whenever I do this with other companies I do a SAR to get a copy of the data, then a RTBF request to get the data removed, then another SAR to see what they retained.

    A significant number say they delete your data and then happily send it back to you a coupla months later when you make an SAR. The ICO loves those ones.

    • Saxifraga@beehaw.org
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      1 year ago

      That’s a great idea, I’ll do this too.

      Having also worked somewhere that was under GDPR, weaponised bureaucracy like this can really be used to consume staff resources.

      Edit: it looks like Reddit have changed their data request form. To make a full GDPR request, with the additional data in the template, you’ll need to email your request to Reddit (redditdatarequests@reddit.com).

      You can not only request your data, but also request information regarding how your data is processed and also about psudo-anonymised data. These are much harder to automate a response to.

      See here for examples from the template:

      1. the purposes of the processing;
      2. the categories of personal data concerned;
      3. the recipients or categories of recipient to whom the personal data have been or will be disclosed;
      4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
      5. where the personal data are not collected from the data subject, any available information as to their source;
      6. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for me.