A few days ago I sent a GDPR request to some company to delete my personal data. They said to install their app and send a ticket from the app. The email was sent from the email address to which the account is registered. Is this even legal?
They already said they don’t want to.
They asked you to install the app on purpose, in hopes that you’ll decide it’s too much hassle and decide not to delete the account.
How do you know this?
My first thought was “they probably want to ensure they are who they say they are and so want an authenticated request” - while that’s against GDPR, not everyone is as educated as they should be, and not every mistake is a nefarious activity.
There’s no reason an app should be more trustworthy than the email.
It’s pretty standard for scummy companies to make the process as annoying as possible.
The individual responding isn’t the issue. They haven’t made any decision to respond like this, they are following a script.
The script is written by people who should know exactly what they are doing, so the result is either malice or negligence. Either way it’s unacceptable where the law is concerned.