/r/pics employing weaponised bureaucracy in the fight against Reddit

dan@lemm.ee to Reddit@lemmy.ml – 950 points –
i.imgur.com

https://www.reddit.com/settings/data-request

redditdatarequests@reddit.com

Having worked at a company that had a massive influx of GDPR requests we weren’t prepared for, this one could actually cause them some trouble if Reddit don’t have that process properly automated.

123

You are viewing a single comment

You could consider making a data request first and after they respond, make a deletion request when you’d like your account removed. This will use even more resources.

If they do not respond to either the data request or deletion request (or do not fulfil these requests fully), you can make a complaint with your local data protection office or the one Reddit is based in (maybe Ireland?). Make sure you invoke GDPR using the correct language for your request.

Here’s a template letter of how to do so under GDPR. You must request your data or the deletion of you data using the correct legal framework (quoting the correct legislation) and these templates make this easy. Plus they cover more types of data than just your posts and comments.

https://www.datarequests.org/sample-letters/

Whenever I do this with other companies I do a SAR to get a copy of the data, then a RTBF request to get the data removed, then another SAR to see what they retained.

A significant number say they delete your data and then happily send it back to you a coupla months later when you make an SAR. The ICO loves those ones.

That's a great idea, I'll do this too.

Having also worked somewhere that was under GDPR, weaponised bureaucracy like this can really be used to consume staff resources.

Edit: it looks like Reddit have changed their data request form. To make a full GDPR request, with the additional data in the template, you'll need to email your request to Reddit (redditdatarequests@reddit.com).

You can not only request your data, but also request information regarding how your data is processed and also about psudo-anonymised data. These are much harder to automate a response to.

See here for examples from the template:

  1. the purposes of the processing;
  2. the categories of personal data concerned;
  3. the recipients or categories of recipient to whom the personal data have been or will be disclosed;
  4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  5. where the personal data are not collected from the data subject, any available information as to their source;
  6. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for me.