
Ask HN: So your startup received the GDPR Nightmare Letter, now what? - Androider
We&#x27;re a two-person startup and we&#x27;ve already received &quot;the nightmare letter&quot; (literally copied and pasted) from a few users: https:&#x2F;&#x2F;www.linkedin.com&#x2F;pulse&#x2F;nightmare-letter-subject-access-request-under-gdpr-karbaliotis&#x2F;<p>It&#x27;s one thing to send this type of nastygram to Google or Facebook, but sending this to someone you know is a tiny outfit is like a Denial of Service attack. We spent significant time making the systems and policies GDPR compliant, we store minimal PII (first&#x2F;last&#x2F;email and Google Analytics), but how do you even start to respond to this thing...
======
ryanwaggoner
First of all, where are you located? Can this be enforced at all? What would
happen if you just ignored?

Second, don’t you have a month to respond?

Third, aren’t you allowed to charge a reasonable fee? I suspect 99% of these
requests go away if you charge $50, which seems reasonable if it takes someone
more than 15 mins to respond.

Fourth, how do you validate the identity of the requester? Email addresses can
be spoofed, so that’s not sufficient. Can you make them jump through another
hoop to prove who they are?

I think my approach (if I wasn’t going to just ignore) would be to to spend
the next month to prepare a form letter to match theirs that’s as vague and
non-specific as the law allows, and then just be able to plug in a few pieces
of info for that specific user, if needed. And then I’d charge them a fee AND
make them verify their identity somehow. I think 99.99% of them would go away.
And yes, they’ll file complaints. Which puts me right back at: if I wasn’t in
the EU, I’d just ignore this and point them to my privacy policy.

~~~
downandout
_Third, aren’t you allowed to charge a reasonable fee? I suspect 99% of these
requests go away if you charge $50, which seems reasonable if it takes someone
more than 15 mins to respond._

Unfortunately, even this won't work. Article 15(3) [1] states:

 _" The controller shall provide a copy of the personal data undergoing
processing. For any further copies requested by the data subject, the
controller may charge a reasonable fee based on administrative costs. Where
the data subject makes the request by electronic means, and unless otherwise
requested by the data subject, the information shall be provided in a commonly
used electronic form. "_

In other words, you have to provide the first copy for free and may only
charge for subsequently requested copies.

[1] [http://www.privacy-regulation.eu/en/article-15-right-of-
acce...](http://www.privacy-regulation.eu/en/article-15-right-of-access-by-
the-data-subject-GDPR.htm)

------
Tomte
Which of the points do you have concrete trouble with?

Since you say you've spent effort to be GDPR compliant, most of the questions
should be easy to answer (and can become boilerplate text snippets for all
other letters).

I'd recommend starting on top, answering all the low-hanging fruit while
skipping more difficult or expansive questions on the first run-through. And
then take a look how much is left and see whether those are rightful demands
and who can answer them.

~~~
ryanwaggoner
Or you could just point them to your privacy policy and then just ignore them
if you’re not in the EU. They’re clearly just trolling to damage you.

The irony here is that the OP is one of the ones who put in the hard work to
comply with the GDPR, and yet they’re one of the first being attacked. And is
worrying about what to do. Meanwhile the truly bad actors have ignored the
GDPR and would ignore this letter, and that’s the end of it. Perhaps OP
thought that bowing to this law would appease the trolls, but nope. Like many
poorly thought-out and hard to enforce laws, this will harm the law-abiding
while the people it was aimed at skate free. What a shock.

------
downandout
Sadly, you won’t find much help on HN with this problem, and you can see by
the lack of upvotes how much people want to hear about any problems that it
causes. The overarching sentiment here is that GDPR is amazingly awesome and
that no abuses of it are going to happen. Don’t have 100 hours to reply to
each nightmare letter? You must be doing something bad with their data. This
isn’t the first abuse, and it won’t be the last.

Unfortunately, even if you’re not in the EU, you have optionally chosen to
subject yourself to the GDPR under Recital 23 by “mentioning” EU users. You
must spend the time to respond. The good news is that you can write it once
and send roughly the same response to each abuser. If you don’t respond to
their full satisfaction, you’re looking at immense fines.

Welcome to the GDPR.

