Hi,
Does anyone have any experience dealing with companies like https://saymine.co/? They send data deletion requests from individual’s private e-mail addresses, but the e-mails are labelled “powered by Mine” and there are some indications that their service includes getting access to the registered individual’s entire inbox and then sending request to any company they find. In short, how can we verify that the request has in fact been made by the person they claim to be representing? Replying to the e-mail won’t due if they have access to the inbox.
Ian G
Just adding to this thread as we receive waves of these erasure requests from Saymine (generating probably around 95% of all our total erasure requests). We can get 40 one weekend and then 1 or 2 over the next few weeks. Given the random times day and night the requests come in I believe the emails are sent via saymine servers who seem to have peaks and lulls in activity.
Our approach is we contact the individual directly as the email address is included in the request to get them to confirm they raised the request, around 80%+ do not come back to us to confirm this, so we don’t process their erasure request further.
I think the ICOs approach on these would be if the request includes the individuals email address reach out to them, but your under no obligation to sign up to the third party portal as an earlier comment mentioned
PGustavsson
Thanks Ian, that’s the approach we’ve been taking as well.
Stephen Lark
As these are third party companies seeking to profit I always refuse requests based on automated collecting of data by controllers and processors – ie email scanning.
I recommend that you wait for Mine, or whomever, to contact you and then explain you only accept requests from the individual directly and upon further verification such as letter to a physical address and/or phone call.
Just keep a record of the refusals and the reason. If it’s important the data subject will contact you themselves.
Yorkie82
We normally deal with deletion request quite straight forward and use the data provided and the fact that it comes from the registered email address as sufficient proof to delete the account.
For SARs we request further ID verification and just communicate with them through their registered email address, not through the portals of the provider.
Dean
So, to your point, you’re absolutely right in your understanding of how the platform works, and you’re very right to be concerned about having assurance over the legitimacy of the requests. From my understanding there are some disagreements on the identity verification technology/protocols that the Mine platform uses and of course, disclosing or deleting data without appropriate authorisation gets us into hot water.
You may choose to take a punt and try and verify the legitimacy of the request, or you may choose to take a more risk-based approach and either contact Mine or Privacy Bee and others to try and verify the requests or ignore them and instead respond to an individual directly.
My understanding is that these tools are free, well nothing is truly free, so how are they funded, makes you wonder, are we the product again.
Dean
There is a fair amount of controversy around the use of third-party SAR portals, like for example saymine. It works by an individual signing up on the Mine website, and granting access to their email account. The Mine tool then scans all of the contents and depending on the access level that someone grants to Mine, it will then send off requests to all the companies.
In the UK, the ICO has issued guidance around subject access requests and they have advised that organisations are under no obligation to take proactive steps to determine if a SAR has been requested. This would indicate that there is no obligation to sign up to Mine to determine if a SAR has been logged. This link might help: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/right-of-access/how-do-we-recognise-a-subject-access-request-sar/#portal
PGustavsson
Great, thanks Dean!