Me: „I request full access according to Article 15 GDPR.“
Data Broker: „We do not have any of your personal data!“
Me: „Here‘s a screenshot of my personal data on your website. Also, I‘m insisting on my access rights.“
Data Broker: „Yes, well, we can delete that if you like.“
Me: 🤦♂️
@ralb I keep making SARs to organisations and getting the response "we have actioned your deletion request"... Which wasn't what I asked them to do and also means that they can't answer the SAR. Technically this makes them in breach of the law with no way to fix it, but in reality there's no penalty.
Also had a recent one where I was sent an Article 14 notification, so I SAR'd it and they insist that they don't hold my data. Clearly they had enough to send the A14 notification!
@steve I can’t comment on how these cases are treated by the British DPA now the United Kingdom has decoupled from the GDPR.
But in the European Union, it seems that we are finally making some progress in the right direction. Some recent ECJ and DPA decisions have scrutinized data broker‘s practices. Now it’s important to keep the pressure up, not necessarily for the penalties as such, but to make such problematic business models as uncomfortable as possible.
@ralb the UK hasn't decoupled from the GDPR (yet). The GDPR was adopted into domestic legislation as-is. The current government keeps making noises about "improving" (read: weakening) it, but it hasn't happened yet and will cause major headaches if it does.
The main problem is that the regulator (the ICO) is completely toothless. And that's mostly their own choice - they have the power to penalise offenders and for the most part don't bother.
Add comment