ChrislyBearReddit sent me invitations to their IPO to my "deleted" accounts! That's a GDPR violation!
Ironically, you are on a privacy-offending Cloudflare site (#LemmyWorld), so tor users are blocked from your image. If you care about privacy you will bounce from that instance.
Without seeing the image, I have to ask how an anonymous user gets #GDPR rights. Or has #Reddit started supporting an identification mechanism of some kind? When I start the reg process, it asks for an email address, username, and pw, not a first + lastname.
Will do! Just a moment…
Thanks!
The To: address in the header would be interesting. Of course, you wouldn’t want to disclose it verbatim here but it might be useful to have a rough idea. Was it [email protected] or some variation of that, or was it more like [email protected]? Some people here think it doesn’t matter, that it’s inherently personal info, but the European Commission says it matters. It’s not hard and fast; there are varying shades of gray here. Maybe they kept logs of your IP address and maybe that makes a difference. You might want to read WP136 (I have yet to read that).
I would love to see action taken against Reddit if anything just to burden their lawyers and create some costs for them. But I doubt it will go anywhere. GDPR enforcement is such a shit-show in Europe. Even dealing with clearly blatant violations that are wholly internal to Europe which should irrefutably incur penalties, simple obvious cases are being ignored by DPAs. So I have little confidence that this cross-border case would actually get results. The one factor in your favor is that Reddit is somewhat high-profile which might take a DPA’s interest.
I don’t think a “delete my account” button constitutes an Article 17 request. It removes the purpose of processing to some extent, which then relies on the data minimization principle (Art.5). Reddit can do a bit of hand-waving to make excuses like needing to retain your email address in case one of your posts sparks a legal inquiry. Your case would be stronger if you had submitted an explicit Art.17 request to Reddit.
From the email:
Per our lawyercats, we are not able to respond to further inquiries or questions.
I wonder if that statement might be actionable. Art.12 and 13 require Reddit to identify a data controller with a point of contact. And here they are outright stating in effect “we don’t want to hear from you”. I would stress that in your GDPR complaint, not just the misuse of your email which you expected to be deleted.
Also, I would look into any anti-spam laws your country has. There may be a higher degree of legal actionability there.