r/gdpr

I have no access to the account. It is in need of an "update", but there's no real way of updating it so I can have access to delete it manually. Already tried with support. I asked if there was a recourse to delete the information now that it is impossible to access my account, to which I was told after holding that there wasn't.

Now correct me if I'm wrong, but isn't this in total violation of the GDPR? Do I have any legal recourse that is realistic for me to apply?

Long story short - I was falsely accused of harassment and stalking. It was dropped by the police but the university continued. Under gdpr, the only specifically protected information that universities do not have to provide is academic information and protected references.

This leads to the absurd conclusion that investigations into misconduct are entirely accessible as long as they contain means by which I can be identified. Can I use this to access deliberations about myself made by staff members?

More concerning, supplementary data guidance states that I am entitled to the identities of data recipients, and to categories if such a request is impossible or manifestly unfounded. So am I entitled to the identity of the students who have complained about me if they received my personal data of the outcome? Such as X person has been fined. According to the guidance maybe?

What I want to find out is what medical information was given to staff members in the organisation, and how this was shared, however the more information I can gather the easier it will be to complain or fight any decision of guilt.

On the one hand, it feels draconian that work with the expectation of privacy has already been handed over to me. On the other hand, it seems only to benefit me and I want to utilise as much as I can before being accused of making "manifestly unfounded" requests.

The information already handed over to me has been redacted so that it is unreadable, and I cannot differentiate between myself, the university, and NHS in emails. I have challenged to the ICO.

Checked last week. Our main base image has 47 known vulnerabilities. We've been pulling it from a public registry for two years, and we’ve never questioned it because its free and it works every time.

Under CRA that math changes. Those 47 CVEs become our liability and not the registry's or the maintainer's. We're the manufacturer shipping a product with known vulnerabilities to EU customers. The regulation doesn't care that we didn't write the vulnerable code. It cares that it's in our product.

There's no patching guarantee on those public images. No SBOM. Nobody committing to fix anything by any deadline. We trusted free and the bill's about to arrive.

I'm not saying everyone needs to panic and rewrite their entire pipeline. But I am saying if you haven't checked what's in your base images yet, now's a really good time. Any thoughts or approaches?

I am forced to write this publicly because EA has been blocking or ignoring all direct communication with their Legal Department, Data Protection Officer, and Privacy team.

1. Background of the Account
   Since 2019 I have played Apex Legends on PlayStation with the PSN ID Hrc_Tequilla(and previously also Hrc_prooffe / Prooffe96).
   I built a legitimate Level 500 account with heirlooms, rare skins, badges, battle passes and thousands of hours of gameplay.
   I have never received any ban or sanction on this account or my previous accounts since 2019.
2. Origin of the Problem (around 2023)
   In 2021-2022 I bought a PC and created a new EA account. Around 2023, after the introduction of cross-progression, a faulty PSN-EA account linking occurred. My entire original progression became disconnected from the correct EA account and was lost.
3. Two Years of Support Attempts (2023 – November 2025)
   For more than two years I contacted EA Help repeatedly through multiple EA accounts. Every ticket followed the same ineffective loop with no resolution.
   When I mentioned my GDPR rights as an EU citizen (Belgium) and asked for contact information of higher support or the GDPR team, multiple agents ignored my requests and simply ended the chat or disconnected the conversation. This happened repeatedly.
4. Formal GDPR Rectification Request (20 November 2025)
   On 20 November 2025 I submitted a formal rectification request under Article 16 GDPR, Article 5(1)(d) GDPR and Article 12(3) GDPR.
5. EA’s Own Confirmations and Failed Recovery Process (November 2025)
   EA Customer Relations confirmed in writing that they had located my PSN Hrc_Tequilla in their historical records and that the data still existed on the correct EA account.
   They explicitly stated: “we can start the verification process to start recovery”. I immediately confirmed I was ready and willing to complete all verification steps. Despite multiple follow-up emails to [edit: email address removed]and [edit: email address removed], I received no response and no further instructions.
6. Sudden Ban Before GDPR Deadline (30 November 2025)
   On 30 November 2025 — while my GDPR rectification request was still active and the legal 1-month deadline (20 December 2025) had not yet expired — a permanent ban (Request-2820450) was suddenly applied to the account.
7. EA’s Sanction Notice (19 May 2026)
   EA sent a notice with almost no evidence — only one vague log entry (time: 2025-11-30T15:22:59.898168Z → type: ban) and an incorrect platform listed as Nintendo Switch(while I play exclusively on PC).
8. Apparent Retaliation and Obstruction
   I have now been forced to fight a permanent ban that has already been denied multiple times. This gives the strong impression that the ban was applied because the GDPR deadline was approaching, allowing EA to hide behind their Terms of Service instead of fulfilling their legal obligations.
9. Suppression of Discussion
   Most of my posts and replies on the official EA forums discussing this matter are quickly deleted under the reason “spamming”. It would be far simpler for EA to help me recover my legitimate account rather than continuing to obstruct and silence me.
10. Current Situation & GDPR Violations
    According to Article 12(3) GDPR, EA was required to respond to my rectification request within one month (by 20 December 2025) at the latest. It has now been over 7 months since my request on 20 November 2025 with no proper resolution.
    EA has committed multiple violations of the GDPR, including:
    Article 12(3) — Failure to respond or rectify within the mandatory one-month period (now more than 7 months overdue).
    Article 16 — Failure to rectify inaccurate personal data (wrong PSN-EA account linking).
    Article 5(1)(d) — Violation of the accuracy principle.
    Article 12(1) & 12(2) — Failure to facilitate the exercise of my GDPR rights (chats ended when GDPR was mentioned, ghosting after agreeing to verification).
    Article 5(2) & Article 24 — Lack of accountability and responsibility.
    Obstruction / Retaliation — Applying a permanent ban precisely when the GDPR deadline was nearing, effectively sabotaging my ability to exercise my rights.
    The ban now blocks the GDPR recovery process I was actively following. EA’s internal rules and Terms of Service cannot override mandatory EU GDPR obligations.

Is it allowed for work to video record all meetings? Am I allowed to say I'm uncomfortable with that and I won't attend?

These are for regular team meetings of about a dozen of us. This started because the minute taker said she'd miss out details without a recording (she has left and this reasoning no longer applies)

I recently started a new job and received a cold call from another business trying to see advertising space. Issue is this call came to my personal mobile, which has no connection to the company I just started.

I asked them how they got my number and they told me they use an ai lead generator to get potential client information. They knew where I worked so it wasn’t like they were calling any number.

Firstly, is this a common and acceptable way to create new leads, and how has this found and connected my personal number, and connected it to a job I only started weeks ago?

(It isn’t LinkedIn as I don’t have my number connected to me account)

I work occasionally for a hospitality company as and when I want to, I just sign up for shifts when needed. I didn’t sign a contract, and when I first started I didn’t even start to get payslips but they seemed to have sorted their shit out and I now do. I got an email randomly to my personal email address to ask me to complete training for them, I didn’t give consent for my name and email address to be passed over and I won’t be signing up. I have emailed the training company asking how they got my information without my consent but they’ve yet to reply. Is this a breach of gdpr from the company I work for?

he NHS Palantir FDP contract is live across 120+ trusts. It's processing special category health data at scale, on infrastructure subject to US jurisdiction, through a semantic layer that independent experts describe as opaque.

Under UK GDPR, a Data Protection Impact Assessment is mandatory before processing likely to result in high risk to individuals. Large scale special category data. Systematic processing. Significant effect on individuals. Any one of these triggers the obligation. NHS patient records hit all three.

Was a DPIA completed before go-live? Was it published? Did the ICO review it? Who signed off on the residual risks?

And it's not just an NHS England problem. On the Isle of Man, sixteen health-tech vendors are right now working inside Manx Care infrastructure -- every one running on AWS, Azure, or GCP, every one subject to US jurisdiction under the CLOUD Act and FISA 702 -- under a governance framework that hasn't received Royal Assent yet.

Same special category data. Same missing DPIA. Same question.

Full piece: haunted.lighthouse.co.im/articles/wheres-the-dpia/

This morning, I received an email from a previous employer (2021-early 2022) that there had been a data breach and my personal info, including; contact info, bank details, and NI number may have been accessed.

This seems a long time for an employer to keep my data - should they still have had that info on file?

On paper the “right to erasure” sounds straightforward, but the modern systems are quite split, and it seems to guarantee complete deletion with confidence.

Especially curious how people handle:

• backups/immutable storage
• third-party integrations
• analytics/logging pipelines
• data duplicated across environments/tools

I really just want to hear how this works in real companies vs how it’s described in docs.

I'm building a tool for a customer which collects information on doctors that is publicly available for example research papers, articles, etc to build a profile of the doctors so my customer can understand their interests and provide better marketing and sales content

There is a mutual interest as my customer wants to provide a better service, but do we need additional permission from the doctors to store this information long term?

Currently we are planning on pulling the data then deleting it straight after use, but are now exploring if we can do it long term

Anything else I need to be aware of?

I’m looking for advice on whether anyone has successfully claimed compensation from a concierge service or landlord for a GDPR/data protection breach.

I’m a tenant in a flat. I met a man and we got into a relationship. After he lost his home, he moved into my flat as a lodger and agreed to pay a monthly rent. After a couple of months, he stopped paying and his behaviour became violent. Eventually, I had enough, changed the locks, and put his belongings outside.

That night, when he couldn’t get back into the flat and found his things outside, he went to the concierge building (which has a 24/7 concierge). He told the concierge on duty that he had been a tenant and that he had been illegally locked out.

During that interaction, the concierge disclosed personal information about me without my permission, including details about my tenancy, my residency situation, and the identity of my landlord and managing housing company, which I had never shared with him. The concierge on duty also said she would be willing to give a statement to the police in support of his unlawful eviction claim, without knowing anything about him or the full situation at the time. She later did not provide a statement, although she had initially said she would.

I have proof of what was said because my ex-partner included details of that conversation in his own claim against me (for unlawful eviction), including the name of the concierge on duty and what was disclosed to him that night. I can also submit a SAR, although I’m not sure what may or may not still be retained.

Following this, he contacted my landlord using that information. My landlord has now served me with a Section 8 eviction notice for having an unauthorised lodger and a Section 21 notice (before May 1st).

This situation has caused significant emotional distress (I have medical fit notes and prescriptions to support this), and I am now facing eviction proceedings and at risk of losing my home.

I want to understand whether anyone has successfully claimed compensation in similar circumstances, and what the best process is in England. Whether the complaint should go through the concierge company, the landlord, or both, and whether GDPR/data protection claims like this are realistically successful and how much compensation it's fair for me to ask?

I don't have a budget for a sollicitor unfortunately.

So just recieved SAR that I'm guessing staff member used biro to show what needed then black marker pen, everything is still completely visable.

I'm able to read 90% of the 'redaction' I'm just amazed in 2026 this is redaction

I have an app that doesn't store much of information. Logins are with Google and apple and payments are processed through Creem MoR. I don't store DMs, don't need camera or microphone or gallery access. What do I need to write in my terms and privacy policy to be 100% legal??

Hi everyone, looking for some technical advice on how to handle a law firm that seems to be misapplying GDPR exemptions.

Context: A corporate energy supplier and their instructed law firm (acting as debt collectors) aggressively chased me for months over a debt I did not owe. I am a commercial freeholder, and they incorrectly billed me for an upstairs leasehold flat. The energy supplier has now finally admitted their mistake and dropped the case, but the law firm's handling of my data has been highly suspect.

The SAR: While fighting the case, I submitted a formal Subject Access Request to the law firm hoping to get an understanding into why they are chasing me for this debt, explicitly requesting full copies of all personal data, internal case management logs, and communications regarding my account.

Their Response: They missed the 30-day deadline, and when they finally replied, they completely refused to provide the source documents. Instead, they gave me a 3-line "summary" (which just contained my name and address). They justified withholding the full file with the following exact quotes:

• "The information we hold is interlinked with third-party data, commercially sensitive content, or legally privileged material. Providing a summary allows us to give you all information without infringing others’ rights."
• "Some records contain internal assessments, security-related content, or technical logs that cannot be released in full."

My Assessment & Questions for the sub: My understanding of ICO guidance is that Legal Professional Privilege (LPP) only covers communications made for the dominant purpose of legal advice. Standard debt-collection case management logs, system notes, and automated actions are administrative and should not be covered by LPP.

Furthermore, even if the file does contain legally privileged or commercially sensitive third-party data, shouldn't they be legally obligated to redact those specific lines and provide the remainder of the documents, rather than using it as a blanket excuse to withhold the entire file and offer a "summary"?

Hi,

I have a formal grievance hearing coming up and discovered that my entire evidence pack has been shared without my knowledge (via Onedrive link).

The person it's been shared with is a senior manager, not part of the grievance panel and is named in the grievance which is about failure to follow policy and process, failure to make reasonable adjustments and detrimental treatment after raising concerns. The pack contains lots of sensitive health information.

Would this constitute a GDPR breach? If so, what could I do about it?

Thank you

As part of my job I've been given evidence that somebody is receiving payments due to their ill health preventing them from working. However, they've told me that they don't have any health problems that will affect them on our trip, which is just as intense as any job.

Could I report this to the relevant authorities, or would it violate GDPR?