A marketing agency disguised its identity and did not have a functional unsubscribe system in its marketing emails. Additionally, a popular restaurant chain pretended its marketing was a ‘service message’ and a university used dark patterns in its cookies ‘consent’ mechanism.
Tag: gdpr
Public bodies often run public consultations on proposals for policy changes – but is it appropriate to publish a list of individual respondents’ names by default? And how does the Right to Object apply to processing based on the public task basis? I discuss this in this case study of my data protection complaint to the Sentencing Council, which constructively took action to resolve my concerns. Photo ID demands and unnecessary cookies also make an appearance – again.
Under Article 17 of the GDPR, you have the right to have most of your personal data deleted. Data controllers must usually comply with your erasure request within one month. But what data can companies typically keep about you after your request – what about invoices, for example? And what can you do if they don’t comply with your request? I discuss the civil court remedies that were available to me when I found out that a company stealthily kept my sensitive personal data, even though I’d asked for it to be deleted months earlier.
I sent two IT webshop companies an erasure request. I also informed them of a security vulnerability in the way they processed my invoices and I objected to them processing my invoice data in this way. The companies repeatedly refused to act on my GDPR requests and they failed to acknowledge the vulnerability. So I took them both to court.
Organisations must comply with strict rules if they want to send electronic direct marketing mail to people. Many organisations send out legitimate ‘service’ emails, but some choose to add advertising, marketing or promotional material to their supposed ‘service’ emails in an attempt to circumvent the direct marketing rules. Of course, it doesn’t quite work like that and mistakes can be costly…
I sent a UK company a GDPR erasure request, but they demanded that I email them a copy of my driving licence before actioning my request. Here’s what happened when I challenged their intrusive, unsecure and likely unlawful demand…