this post was submitted on 25 Jun 2023
985 points (99.6% liked)

Reddit

13621 readers
1 users here now

founded 5 years ago
MODERATORS
[email protected]
985
/r/pics employing weaponised bureaucracy in the fight against Reddit (i.imgur.com)
submitted 1 year ago* (last edited 1 year ago) by [email protected] to c/[email protected]
122 comments fedilink hide all child comments
 

https://www.reddit.com/settings/data-request

[email protected]

Having worked at a company that had a massive influx of GDPR requests we weren’t prepared for, this one could actually cause them some trouble if Reddit don’t have that process properly automated.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 6 points 1 year ago (1 children)

Whenever I do this with other companies I do a SAR to get a copy of the data, then a RTBF request to get the data removed, then another SAR to see what they retained.

A significant number say they delete your data and then happily send it back to you a coupla months later when you make an SAR. The ICO loves those ones.

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago)

That's a great idea, I'll do this too.

Having also worked somewhere that was under GDPR, weaponised bureaucracy like this can really be used to consume staff resources.

Edit: it looks like Reddit have changed their data request form. To make a full GDPR request, with the additional data in the template, you'll need to email your request to Reddit ([email protected]).

You can not only request your data, but also request information regarding how your data is processed and also about psudo-anonymised data. These are much harder to automate a response to.

See here for examples from the template:

  1. the purposes of the processing;
  2. the categories of personal data concerned;
  3. the recipients or categories of recipient to whom the personal data have been or will be disclosed;
  4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  5. where the personal data are not collected from the data subject, any available information as to their source;
  6. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for me.