r/gdpr

▲ 3 r/gdpr

Company refuses to give me info about a suspect impersonating account

Hi there,

as per title, I recently discovered that someone might have set up an account on an hosting provider, using my VAT id but under a different name. I'm a sole trader and as far as I know my VAT id represents personal data.

I asked the company to provide info about this account, but they refuse to disclose anything. They just mention that the name I provided in the GDPR subject request does not match what's in their records for the given VAT id (I also provided all the official document to verify that indeed my VAT id matches with my company name).

What else can I do other than requesting them to rectify the data? And what can I do next if they do not comply with the request?

Thanks.

reddit.com
u/valentinoga — 12 hours ago
▲ 16 r/gdpr

GDPR and secoundbest (ex brew dog)

So a bit of background I invested in Brew dog only a small amount which is now worthless since Brew Dog collapsed and was bought out.

Today I received an email from second best (owned by the former CEO of brew dog), offing a chance to invest in his new company.

Now from my understanding the new company should have no access to old data including any information about previous shareholders.

“Hi there,

I am writing to you as a fellow Equity Punk shareholder and as founder of a new beer business, called Second Best.
 
On behalf of Second Best, I am offering you the chance to claim the exact same stake in Second Best that you once held in BrewDog, for free.
 
You can register for your free equity here:
www.secondbest.beer
 
No catches. No cash required. And your equity will always rank alongside my own.
 
You will own it. I will fund it. And I will dedicate myself to building it.
 
And as for the name, well if we get this right then the second beer business that we build together might just be the best one. 🍻
 
If you have already registered, thank you for coming onboard! We will be in touch with further instructions and details after the registration is closed.

And please feel free to let your fellow Equity Punks know so that they can also claim their free equity. 

If you have any further questions, email us on hello@secondbest.beer.
 
James Watt
Second Best Founder & BrewDog Co-founder”

What do you think is this a GDPR breach?

reddit.com
▲ 3 r/gdpr+1 crossposts

HIPAA and GDPR compliance

How do you handle HIPAA and GDPR compliance when sharing visual patient data (like skin lesions or gait videos) with outside researchers?

I am trying to understand the process. Do you just manually blur faces in Premiere/Photoshop? Do you just avoid sharing it entirely? How much of a bottleneck is this?

reddit.com
u/Zealousideal_Fill904 — 2 days ago
▲ 6 r/gdpr

company saying I must send a request through physical mail to delete my account/data?

Hi, I recently emailed a company (US-based) requesting the deletion of my account with them (there was no way for me to just do this on their website myself) and my data because I was no longer using their service. Their support team replied back to me that I need to send a physical letter to their company headquarters in order to "withdraw [my] consent for [the company] to contact [me] for the continued collection, use or disclosure of [my] information."

Is this even legal? Do I have to post a physical letter at my own cost, or are they required to comply with my request over email? I'm not looking for legal advice just generaI advice because I am baffled and don't know what to do

reddit.com
u/DM_ME_RIDDLES — 5 days ago
▲ 2 r/gdpr

Is being short staffed a justified excuse to not recieving a SAR within the deadline?

It was extended initially for 2 months , so a total of 3 months already and now been told I will receive an update

reddit.com
u/kyrusdemnati — 4 days ago
▲ 1 r/gdpr+1 crossposts

CIPP/E Preparation

Hi guys, i know this has been asked a few years before but asking again -- how should i prepare for the exam? what kind of study materials should i be using? how long is the prep time? any advice and any tips would be appreciated.

Thanks!

reddit.com
u/stalkstvshows — 5 days ago
▲ 9 r/gdpr

Is this a beach?

Recently re applied for an old job. Had a friend of mine whose sister works there message me asking why I had applied to work there again. His sister doesn't work in recruiting or hr so really shouldn't know of who is applying for what and he also doesn't work for the company.

Why does my personal information need to be spread beyond the appropriate department?

Based in UK

reddit.com
u/Seanny67 — 6 days ago
▲ 119 r/gdpr

US Supreme Court just blew up EU-US Data Transfers

Key fragments from the article explaining the problem:

> oversight over data protection matters must be done by an “independent” authority. … So far, the US has appointed the “independent” FTC to be the US privacy regulator to meet the EU's requirement for independent oversight. … In a 180° turn on previous case law, the conservative majority in the US Supreme Court has now decided that the independence of the FTC is unconstitutional. … Given that the EU relied on the “independence” of the FTC as a privacy watchdog in almost all cases, the entire structure of the EU-US Data Privacy Framework has just collapsed.

Fragments of the article explaining the impact – seems like Schrems III is incoming:

> the European Commission's decision is formally in force until either the European Commission repeals it or the Court of Justice annuls it. Hence, there is no immanent effect. > >SCCs and BCRs also … rely on an “impact assessment”, which in turn relies on formerly independent US executive bodies such as the PCLOB or the Data Protection Review Court. [Data controllers] must immanently update their assessment – and logically come to the conclusion that data transfers are not legal anymore. > > noyb will also file a lawsuit in the coming weeks, aiming to allow the CJEU to annul the current deal.

Other discussions on this article:

Discussion about the Trump v Slaughter case on r/law – includes summary and links to media coverage.

noyb.eu
u/latkde — 6 days ago
▲ 1 r/gdpr+1 crossposts

DPA/GDPR exemptions for covert recordings in order to detect crime?

Location - England.

I own a pub and have discovered a lot of high value stock has been taken from my cellar which only staff have access to.

Rare, high end whiskey, cognac and champagne have all disappeared over the last year. It has been a slow process and at first I thought the sign out procedure I had in place just wasn’t being followed, but I now know after an independent stocktake that someone who works for me is stealing. I just don’t know who.

I have CCTV on the door to the cellar but not inside the cellar itself. I could install CCTV in the cellar with clear signage and the thefts would probably stop immediately, but I have lost thousands over this.

I believe and hope that I treat my staff incredibly well. They all get paid well over the norm for hospitality so I would very much like to know which one is stealing from me, but I can’t accuse without evidence.

I have purchased a covert camera that's inside a smoke alarm that I am thinking of installing on the ceiling of area where the thefts are taking place in order to catch the thief in action, but I don’t know if that's legal under DPA/GDPR rules.

If I install this camera and I find the thief, can I fairly dismiss them? Could I end up in more trouble than it would be worth? Is there an exemption within GDPR/DPA legislation that allows you to do what I’m thinking of doing as long as I don’t share the footage to anyone other than the relevant authorities? If there is, could someone let me know what it is and where I can find it because I’ve had a look and can’t find anything concrete.

reddit.com
u/indistrinct — 6 days ago
▲ 0 r/gdpr

Minors on a public leaderboard with pseudonymous names only. Is it legitimate interest or too risky?

Hello everyone,

Solo developer here, offline mobile game with a global leaderboard as a core feature.

All players get a random system-generated name by default.

Is it fine to publish a minor's score to the public leaderboard?

Getting parental consent isn't realistic for something like this.

So the real question is whether legitimate interest can actually cover this, or whether processing a minor's data this way is off the table regardless of how pseudonymous it is.

Not asking for a verdict on my specific app, more trying to understand where people generally draw this line.

I am mainly unsure, cause the leaderboard entry doesn't include email, real name, or anything tied to identity, but it's still personal data (an ID + score, and publicly visible), and it's a minor's data specifically.

Appreciate any pointers, especially from anyone who's dealt with this in games specifically.

reddit.com
u/MirakStudio — 5 days ago
▲ 0 r/gdpr

GDPR compliant AI model for SME 9p

I'm looking for an GDPR -compliant alternative for our highly inconsistent (and slow) Chat-GPT Business subscription. For dictation I'm using Assembly (Ireland), for coding Claude Code (without using user data, and without connectors), but did not find any alternative for coding / custom-GPT / cowork / skill (name it), that our end-users can deploy. Local LLM is probably not what we are looking for. Mistral maybe?

Any insight would be welcome.

reddit.com
u/No_Reference8164 — 6 days ago
▲ 0 r/gdpr

What counts as valid consent under the GDPR (and what doesn't)

Under the GDPR, consent only counts if it's freely given, specific, informed, and unambiguous, given by a clear affirmative action. Pre-ticked boxes, "by using this site you agree," and bundled all-or-nothing consent don't count. You also have to make withdrawing as easy as giving it, and be able to prove you got it.

Consent is one of the most misunderstood parts of the General Data Protection Regulation (GDPR), so here's the plain version. It comes straight from Article 4(11) and Article 7 of the regulation, plus the EDPB Guidelines 05/2020 on consent.

The four things consent has to be

- Freely given. The person needs a real choice, with no penalty for saying no. If access to your service is conditional on consent you don't actually need, it isn't free.

- Specific. One purpose, one consent. You can't collect a single yes and apply it to analytics, advertising, and profiling all at once. Each purpose gets its own option.

- Informed. Before they decide, people need to know who you are, what data you're collecting, why, and that they can withdraw at any time. Plain language, not buried in legalese.

- Unambiguous. It has to be a clear, affirmative action: ticking an unchecked box, flipping a toggle, clicking "accept." Silence or a pre-filled setting isn't agreement.

What doesn't count as consent

- Pre-ticked boxes or default-on toggles. The CJEU settled this in the Planet49 ruling.

- "By continuing to browse, you agree." Scrolling and continued use aren't consent.

- Bundling everything into one accept button with no way to refuse the non-essential stuff.

- Consent hidden inside your terms and conditions.

- Silence, inactivity, or a box the user never interacted with.

Two things people forget

- Withdrawal has to be as easy as giving consent (Article 7(3)). If it took one click to accept, it shouldn't take an email and three business days to undo.

- You have to be able to prove it (Article 7(1)). If a regulator asks, you need a record of who consented, to what, and when. A banner that collects consent but logs nothing leaves you exposed.

This is general information, not legal advice. If you're working through a specific setup, your DPO or legal team is the right call.

What trips you up most with consent on your own sites? Happy to dig into specifics in the comments.

reddit.com
u/iubenda_team — 7 days ago
▲ 7 r/gdpr

What's the most unusual DSAR you've had to deal with?

Without sharing any confidential details, what's the most memorable or unexpected DSAR you've received, and how did you handle it?

reddit.com
u/SeveralBill2240 — 8 days ago
▲ 0 r/gdpr

Hinge Data Deletion

Hi all,

Could I please ask all of you for your input on the below.

Summary: Based in Ireland. I believe hinge is wrongfully holding my data / keeping me in the dark about my data protection rights.

After 2 years and hundreds of respectful conversations on the dating app hinge, I was banned. I am certain I did not break any rule. As many of you might know, arbitrary bans are rife on dating apps.

I appealed and contacted support asking for a generalised reason. I was not provided with one, which to an extent is understandable.

They asked me to verify as the only means to progress my appeal. Twice, I asked to see their GDPR / data protection policy on the matter and for their DPO to be contacted. Both times the support replied without answering my question.

I think I want to go down the data deletion route. I am aware that data may be retained for certain legitimate purposes.

However, in the absence of the slightest reason, it is impossible for me to assess my rights - to decipher if this decision to retain the data was made lawfully (I mean something as vague as “we banned you as you broke rule 2 on ‘abusive language’”).

My local data protection authority - the Data protection commission (DPC) is Europe’s premier DPA. I note they have dealt with a few cases of this nature, which resulted in successful erasure / unbanning of the complainant. I will link them below.

Case study 1
Case study 2

Based on this, do you expect a complaint to the DPC being worthwhile / successful?

Interestingly, In Ireland under administrative law, when your rights are adversely affected by a decision you are entitled to enough of a reason to assess the legality of the decision.

Granted, this more-so applies to public bodies. But seen as 50%+ of people these days meet on daring apps, this is in a way affecting my rights. I.e to associate, to meet people and build relationships lol.

Please also find a similar (less hopeful) post on the matter.

See here for a previous post a similar issue, which I believe may be inaccurate

Thank you!

u/DublinThrowaway2023 — 8 days ago
▲ 1 r/gdpr

Healthcare SaaS requires doctors to import their entire patient database before patients sign up

TL;DR: A healthcare SaaS requires doctors to import their entire patient database before patient onboarding, claims to be a processor under Art. 28 GDPR, and relies on healthcare provision plus legitimate interest as the legal basis. Does this raise issues around joint controllership, Article 9, data minimisation, or Article 32 security?

I'm based in the Czech Republic (EU) and I'm looking for opinions on a GDPR issue involving a healthcare SaaS platform.

Here's the situation

My child's doctor uses a platform called Medevio for patient communication and appointment scheduling. It is not the primary medical record system, but it contains health-related information (messages, diagnoses, etc.).

Neither my wife nor I had ever registered with the platform.

We suddenly received SMS messages asking us to book a preventive examination. After following the onboarding link and verifying my wife's phone number via SMS, the system already knew our son's identity (displaying his name and a partially masked date of birth). It then requested his national identification number to complete the matching process.

We later contacted both the doctor and the platform.

The platform confirmed that:

  • Doctors are instructed by official documentation to upload their entire patient database into the platform, with little or no control over which patients are imported.
  • Our son's data was imported when the doctor synchronised patients.
  • Patients do not need to register before their data is imported.
  • If a patient deletes their account, the patient record remains in Medevio and is still visible to the doctor, but is no longer visible to the patient.
  • The platform considers itself only a processor acting under Article 28 GDPR.
  • Its website states that doctors should obtain patient consent before importing patients, but support also stated that the legal basis is the doctor's provision of healthcare services together with the doctor's legitimate interest in modernising patient communication.
  • An SMS code is used only during the initial registration/binding of a patient account. Afterwards, the account is protected only by username and password (no MFA despite access to health-related information).

Context

Ideally, I would like Medevio to improve its consent management and security practices without creating unnecessary burden for doctors. I'm considering reporting the matter to my country's Data Protection Authority, but before doing so, I'd appreciate some opinions from people familiar with GDPR.

My questions

  1. Is it realistic for the SaaS provider to be considered only a processor, given that it designed the patient import process, onboarding flow, authentication flow, and communication workflow? Or is there a credible argument that it is at least a joint controller for some processing operations?
  2. Is legitimate interest generally considered sufficient when an external SaaS imports health-related patient records before the patient has ever interacted with the service?
  3. From a data minimisation perspective, is importing an entire patient database before any patient decides to use the platform generally viewed as compatible with GDPR?
  4. Would the absence of MFA for ongoing access to accounts containing health-related information raise concerns under Article 32 GDPR, even though phone verification is performed only once during onboarding?
  5. If you were in my position, would you pursue this with the Data Protection Authority?

Link to page (Czech only): https://www.medevio.cz/

u/MrHaller — 7 days ago
▲ 0 r/gdpr

Under GDPR, what counts as "consent withdrawal being as easy as giving consent"?

I'm developing an evidence-based website privacy review methodology and came across an interesting edge case. I'd appreciate opinions from people familiar with GDPR and cookie consent.

During testing of a large website, I observed the following:

• On first visit, the cookie banner offered both Accept All and Reject Non-Essential.

• The banner also included a "Manage your cookie preferences anytime" link, which opened a preference center before any consent choice was made.

• After accepting or rejecting cookies, I could no longer find a reasonably discoverable way to reopen the preference center.

I checked the homepage, footer, Privacy Policy, and other obvious privacy-related links but couldn't find it.

My understanding of the GDPR is that withdrawing consent should be as easy as giving it. However, I'm trying to separate legal requirements from my own assumptions.

My question is:

If the preference center is available before consent but is no longer reasonably discoverable afterward, would you consider that compatible with the GDPR? Or is there guidance or case law suggesting otherwise?

I'm interested in evidence-based answers, including EDPB guidance, DPA decisions, or relevant case law if anyone knows of them.

reddit.com
u/PlainPrivacyHQ — 9 days ago
▲ 2 r/gdpr

Azure US Data Zone for AI inference in an EU app

Hi all,

I'm a solo developer building a small calorie/nutrition tracking app for the EU, and I'm trying to figure out my setup from a GDPR perspective.

User data would live in Supabase, hosted in Ireland. That includes things like:

name and account info
age
weight
food logs
nutrition goals
eating habits and preferences
chat messages
meal photos

For the AI chat feature, I'm planning to use Microsoft Azure AI Foundry, with the model deployed in East US under Data Zone Standard. So the flow would look roughly like this:

App -> Supabase Ireland -> Azure Foundry US Data Zone -> Supabase Ireland -> App
A few questions I'm hoping someone can help with:

Is this kind of setup generally OK under GDPR for EU users?
Is Azure US Data Zone plus Microsoft's DPA/DPF enough to cover the transfer?
Should I be treating this data as health data and asking for explicit consent?
Any red flags to this?

I know this isn't legal advice. I just want to sanity-check whether the architecture is reasonable, or whether I'm misunderstanding GDPR entirely.

Thanks!

reddit.com
u/Snoo1884 — 8 days ago
▲ 1 r/gdpr

Has my data been breached?

I work in a large security control room in England,

I got into work tonight and my manager presented me with still images of me working.

He states that a complaint came in a few days ago for how I handled an alarm (it was picked up "late" due to the computer freezing then crashing)

Is this unlawful use of my data?

I don't think there is anything in my contract regarding CCTV being used for performance ect

reddit.com
u/Enough-Coyote4049 — 10 days ago
▲ 0 r/gdpr

Built a free automated scanner for pre-consent trackers — where does automated GDPR checking actually break down? (genuinely asking the people who do this for a living)

I've spent the last few months building a tool that loads a site like a real browser and flags tracking that fires before consent — GA4 / Meta Pixel / TikTok going off pre-consent, pre-checked boxes, reject-parity, Consent Mode v2 signals, non-EEA CDNs as a Schrems II flag, that sort of thing. Each finding maps to the provision it touches plus a concrete fix. It's free, no signup, about to go live — and I've kept it framed deliberately as a technical signal, not legal advice.

That last line is exactly what I keep wrestling with, and it's why I wanted to ask here before I just ship it.

Three things I can't resolve on my own:

  1. Where does automated scanning actively mislead? I can detect a pixel firing pre-consent. I can't see whether there's a lawful basis I don't know about, or an LIA sitting in a drawer somewhere. I don't want to hand someone a scary red score that's wrong in context. Where have you seen automated "compliance" tools do more harm than good?
  2. Consent Mode v2 is the one I go back and forth on most — a site can be signalling it "correctly" and still be non-compliant, and the reverse too. How much weight would you actually give it?
  3. If a tool like this existed and you used it in your work, what would you want it to not do — where's the line where it stops being useful triage and starts being dangerous?
reddit.com
u/louarni — 9 days ago
▲ 1 r/gdpr

Question concerning site document that exposes file path on HDD and the editor's user name instead of a web link

I have witnessed that many users on the company I work for make the same mistake over and over again:

Instead of pasting web urls they paste the path of files on their PC (c:...[username]...) which exposes their user name and then post the document (with no private info) online.

Can this raise gdpr concerns since private information and part of their login credentials are exposed to the www?

reddit.com
u/eddytim — 10 days ago