Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: What to do with a GDPR deletion request when the user can't verify?
5 points by meifun on Dec 12, 2018 | hide | past | favorite | 7 comments
We are starting to get GDPR deletion requests at work. However, there area number of requests where the user cannot verify their e-mail address. They either dont have access to that account anymore or they don't remember what e-mail address they used to sign up.

What should we do to verify when all we have stored is username, e-mail address, password and various login dates?




You should consult your GDPR specialized attorney on these matters to insure you are in legal compliance. When this law came into effect you should have drafted corporate rules and requirements for user validation and processes for how to handle users that did not have all of this information to help determine if their requests could be legally invalidated or other means of validation. This would also help protect your company insuring you would exhaust all legal measures allowed to properly process requests while still protecting your company.

If you are not a company you should consult a GDPR specialized attorney to help draft up processes for handling these matters to help insure you are in legal compliance and properly protect yourself legally.


I understand what you are saying, but there must be guidelines for how to handle deletion requests when identity can't be verified? Otherwise aren't we just making up policy?


Send an email (multiple over weeks/months) to their account "you've requested deletion, if this is incorrect click here". If you can't verify they want you to keep there data then you probably shouldn't keep it.


If the user can't verify their email address, how do they even know their account still exists?


Because they can login with their user id and password or their email address and password.


Ok. You can't show them a "delete my account" button after they log in?


This is what the engineering team is going to do to handle these types of requests. Thanks for mentioning it. I guess if the user can login, they should be able to delete themselves.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: