Incorrect reference in response to refused data erasure requests sent through wrong medium

[fpq943]

(The following has been rewritten using ChatGPT)

Possibly related to #1033

Issue:
When a company refuses a data deletion request, citing the use of the wrong communication medium or contact, the corresponding generatable response references guidelines related to the right of access instead of the right to erasure. This raises concerns about the applicability of the response to data erasure requests. Additionally, the inclusion of a 2-week response deadline seems arbitrary, as the GDPR allows organizations up to one month (extendable to three months) to comply with data deletion requests.

Proposed Improvement:
To effectively address the issue, the generated response should be revised to include proper references to guidelines and articles specifically supporting the unlawfulness of refusing data erasure requests based on the means of communication. If, for any reason, this approach is not feasible, the use of references to the guidelines for data access should be justified as an alternative solution. Furthermore, the 2-week response deadline should be reconsidered or justified, taking into account the GDPR's stipulated timeframe for data deletion requests.

Details:
The current generated response in the flow ("My requests" -> "React" -> "Company claims request was sent via the wrong medium or to the wrong contact." -> "It was not sent through their web form/self-service tool.") contains references to guidelines regarding the right of access, not the right to erasure (cf. European Data Protection Board, “Guidelines 01/2022 on data subject rights - Right of access”, Version 1.0, paras. 50, 53, 136). The GDPR doesn't introduce any formal requirements to access requests, but the referenced guidelines do not specify that this leniency also extends to erasure requests. Therefore, alternative references related to the right to erasure should be provided in the generated response.

Regarding the legal opinion expressed in datenanfragen/data#2099, I am curious to know the reasoning behind considering this practice illegal.

An alternative reference to support the argument against refusal based on the communication medium can be found here. This source highlights possible exceptions to data removal requests but does not mention the method of communication.

Another relevant point to counter the refusal based on the medium is mentioned in Article 14(2). It states that the controller should facilitate the exercise of data subject rights (including the right to erasure) and should not refuse to act on such requests unless they cannot identify the data subject.

To strengthen the case against unlawful refusal of erasure requests based on communication means, it would be helpful to find additional references that explicitly state the unlawfulness of such refusals.

Regarding the 2-week response deadline mentioned in the generated response, it is not clear what this timeframe is based on, given that the GDPR allows organizations to delete the specified data within one month (Article 14(3, 4)), which can be extended to three months. It would be beneficial to justify or reconsider this addition in light of the GDPR's specified timeframe.

References:
The following are the excerpts from the generated response related to this issue, provided for your reference:

---

"You have refused to answer my request unless I send it through your web form/self-service tool. Please be aware that the GDPR doesn’t allow you to impose any additional formal requirements on requests (cf. European Data Protection Board, “Guidelines 01/2022 on data subject rights - Right of access”, Version 1.0, para. 50). This means that while you can offer such a self-service tool or web form for requests, you still have to comply with requests sent via other means (cf. European Data Protection Board, “Guidelines 01/2022 on data subject rights - Right of access”, Version 1.0, paras. 53, 136).

[...]

I request that you adequately respond to my request within two weeks from the date of receipt of this message."

---

The paragraph regarding additional formal requirements in the referenced guidelines is the following (para. 50):

---

"It should be noted that the GDPR does not introduce any formal requirements for persons requesting access to data. In order to make the access request, it is sufficient for the requesting persons to specify that they want to know what personal data concerning them the controller processes. Therefore, the controller cannot refuse to provide the data by referring to the lack of indication of the legal basis of the request, especially to the lack of a specific reference to the right of access or to the GDPR. [...]"

[fpq943]

(Also rewritten using ChatGPT)

Furthermore, on a somewhat related note, I'm facing a situation where a company is declining my data erasure request made via email. Instead, they are requiring me to log in to their platform to access the account closure feature, as a security measure.

Moreover, before allowing me to close my account through the platform, they demand that I complete an unrelated task to meet a certain requirement, despite providing no legal justification for such a condition.

A potential solution could involve considering similar cases like this, either by integrating them into the mentioned response or by providing an additional response dedicated to such situations.