Hello, I wrote a mail template which I send to websites that don’t have an easy process of deleting an account.

Maybe it helps you, maybe you will use it too for when you want to delete your unused accounts and maybe you can contribute to it. The better the message gets and the more websites offer an easy way to delete accounts, the safer we’ll be online.


If you can influence the deletion policy, please read on. Otherwise, please forward this to someone that can influence this process.

It’s better for the business to offer an easy way to delete an account. Ideally, it would be good to delete accounts which weren’t active for more than say 5 years, with a mail notification beforehand. Why? Here are the main reasons:

  • There are higher operation and maintenance costs because you have unused accounts in your databases.
  • The services load slower, with a performance penalty, because each user-related query has to go through many unused users.
  • The people opinion of your services decreases, because you don’t offer an easy way to delete accounts
  • People might change their mail to a throw-away address and leave the account open, thus producing more waste than necessary.
  • In case of a security breach, the amount of compromised data is higher than in case you regularly delete accounts, which might lead to financial penalties.
  • The information you get out of a database with active accounts is much more precious than the information from a stale database, or one with obsolete data.

I hope this information helps and that you will change your policy of deleting accounts. Each website that does this, contributes to a better, safer ecosystem.

  • lazynooblet
    link
    fedilink
    English
    25 months ago

    Can’t a non EU holder of your data tell you to kick rocks?

    • @[email protected]
      link
      fedilink
      125 months ago

      No, because by processing EU personally identifiable information a non EU company becomes a data controller / processor as defined by GDPR and has to comply with its requirements including data subject rights, such as the right to access, rectification or deletion.

      Well, they can still tell you to kick rocks obviously, in which case you could report this to your EU regulator as empowered by the GDPR. If a regulator decides action is necessary this would follow the sanctions as set out in GDPR (maximum of 10 million or 4% gross worldwide annual turnover).

      • lazynooblet
        link
        fedilink
        English
        15 months ago

        So say a local Australian software company tells you to get fkd. What can the EU regulator do?

        • @[email protected]
          link
          fedilink
          55 months ago

          Assuming you’re a EU citizen, you could file a compliant with your regulator. For instance, the UK has the ICO (Information Commissioners Office). They would, based on severity, risks and their own investigative priorities, make a decision on whether or not to actively pursue your complaint. Generally speaking, it would have to be a pretty big issue to warrant an investigation because of the sheer amount of complaints and data breaches.

          Assuming they have both their resources and priorities aligned on your complaint, they could

          • request information regarding the matters in your complaint (proof on way of working, how the matter should be settled, etc)
          • start a limited investigation (there could be something amiss but it doesn’t seem to warrant a full investigation
          • start a full investigation with the aim to ascertain compliance with GDPR

          The specifics can vary depending per member state and generally speaking are set out in the GDPR. If a company outside of the EU has been processing PII and does not comply materially with the GDPR they can fine them. Furthermore, they can order a stop of any data transfer out of the EU to the company or its sub processors to effectively stop all processing.

          Basically, your complaint can lead to a company having the living daylights fined out of them, regardless of wether they themselves operate in the EU.

          • lazynooblet
            link
            fedilink
            English
            35 months ago

            Okay, I understand so far.

            What I am struggling with is the limitations of duristriction.

            So the EU finds the Australian company in breach of their rules. They send a notice of intent to pursue damages to the Australian company. And they tell the EU to kick rocks.

            Surely laws made up in one country don’t apply in all. The internet makes this a muddy area, as it’s fully connected and nothing is stopping Joe in Netherlands from signing up to a service hosted in Vietnam. The Vietnam company can just ignore GDPR, ignore requests, ignore fines.

            • @[email protected]
              link
              fedilink
              45 months ago

              That’s a valid point and relates to a nation’s sovereignty. If they don’t recognise an EU legislation, it will be difficult. That’s why overarching legal frameworks exist to allow one country to enforce court decisions in another country. The EU uses this: https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32012R1215. Other countries have treaties.

              In other cases, if no treaty exists it could require starting legal proceedings in the country where the company resides. For instance, Australia. And through local arbitration enforce a court decision, based on the legal framework of the country of residence. It needs no explanation this is expensive and time consuming.

              I’m not a lawyer and not sure if a EU-Australia treaty exists but wouldn’t be surprised. It’s more complex than just having or not having a treaty.

                • @[email protected]
                  link
                  fedilink
                  15 months ago

                  Basically nothing happens in most cases. In your example of a local Australian company, no they are generally not forced to comply with any EU law unless they also do business there in some way.