this post was submitted on 13 Mar 2024
0 points (NaN% liked)

Privacy

829 readers
1 users here now

Privacy is the ability for an individual or group to seclude themselves or information about themselves, and thereby express themselves selectively.

Rules

  1. Don't do unto others what you don't want done unto you.
  2. No Porn, Gore, or NSFW content. Instant Ban.
  3. No Spamming, Trolling or Unsolicited Ads. Instant Ban.
  4. Stay on topic in a community. Please reach out to an admin to create a new community.

founded 2 years ago
MODERATORS
[email protected]
0
Giving fake info can compromise your GDPR access rights (sopuli.xyz)
submitted 7 months ago by [email protected] to c/[email protected]
11 comments fedilink hide all child comments
 

cross-posted from: https://sopuli.xyz/post/10336994

I often give fake info as an extra measure of data protection. If I don’t need the data controller to have my date of birth, I give a fake one.

Well this just screwed me because I made an access request and the data controller said: to verify your identity, tell us your date of birth. Fuck me. I didn’t keep track of which fake date I gave them. I didn’t even keep track of whether I gave fake info. So they could treat my otherwise legit request as a breach attempt.

I should have kept track of the birth date I supplied. I will; from now on.

top 11 comments
sorted by: hot top controversial new old
[–] [email protected] 0 points 7 months ago (1 children)

What data controller is that?

Very few of them have a valid ground to process your birh date. Do they need it to provide you the service? No? Then they fail the data minimization requirement.

and refusing access right on the ground of the birth day, which they should not have in the first place, is the cherry on the cake.

Send them a letter to tell thel that you are ready to submit a complaint to your regulator (or the lead regulatior), but that you are ready to compromize to save hassle to everybody. A few thousands are always welcome.

But again, this is valid only if the controller have no ground to process birth date. If it provide adult stuff, or legal benefits, etc. it's a different story.

[–] [email protected] 0 points 7 months ago (1 children)

What data controller is that?

Grocery store loyalty card. I actually quit all grocer loyalty cards because the 1% savings or whatever is a lousy insignificant amount for being tracked in such detail. And I switched to cash. The grocer’s website started blocking Tor so I started boycotting them and I’m just digging around on the principle that if they don’t have enough privacy respect to serve Tor users then they should be probed.

The whole point of the loyalty card is to do market research. They would likely claim that processing birth date is lawful under Art.6¶1(b) (“processing is necessary for the performance of a contract”). But is it? I mean, buying the food doesn’t even need a contract. One could argue that offering exclusive promos to cardholders does not require any data collection. But it would defeat the grocer’s purpose for entering into the contract. I guess I should read up on EDPB guidelines 2019/02.. that should have the answer.

[–] [email protected] 0 points 7 months ago

Providing the service is selling groceries, that doesn't require a birth date.

So it's not possible to sneak it under performance of contract. Only Legitimate Interest or Consent could be valid, and you can oppose/retract.

But good readng, please provide our findings, that will save me a reading 😅

[–] [email protected] 0 points 7 months ago (1 children)

I work in tech and often have to create accounts for testing or to hand over to clients. I was so happy when we hit 2019 and Jan 1, 2001 became a valid birthday, 01-01-01 in any date order.

[–] [email protected] 0 points 7 months ago* (last edited 7 months ago)

I usually do 01-01-1970 because its easy to remember and isn't my real DOB but I was born in the 1970's

Of all the things that remember it, Steam is the only one that knows the truth but somehow remembers the fake date I gave it once when asking for age verification before letting me look at an adult rated game. Always makes me chuckled that they allow the lie to continue.

[–] [email protected] 0 points 7 months ago

This is what the Comments field in your KeePass entry is for.

Security questions answers get their own entry tho, so the answer starts hidden when you open it.

My mothers maiden name is -{JtYpEQ03)ew-#g btw..

[–] [email protected] 0 points 7 months ago (2 children)

Good tip; I guess I’ll just pick a consistent date from now on.

[–] [email protected] 0 points 7 months ago (1 children)

Now you've run into the same issue as using your real DOB.

[–] [email protected] 0 points 7 months ago

I suppose I could work out a way of hashing the website name into a date, then I can rehash it whenever needed

[–] [email protected] 0 points 7 months ago

I’ll probably use a different DoB for each but keep it in a password file and treat it like a password of sorts.

The data controller was actually being quite responsible in this case by verifying a simple piece of info that should have been mutually known. Many data controllers are reckless and demand a full copy of an ID card (entirely against GDPR rules).

[–] [email protected] 0 points 7 months ago

Well if it was fake you’re already kind of protected. But, yeah, pick a date you’re likely to remember.