• Welcome to the LegalBeagles Consumer and Legal Forum.
    Please Register to get the most out of the forum. Registration is free and only needs a username and email address.
    REGISTER
    Please do not post your full name, reference numbers or any identifiable details on the forum.

Online business refusing to delete my data

Collapse
Loading...
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Online business refusing to delete my data

    I recently logged back in to an online marketplace app which I have been a member of for nearly two years to find my account had been blocked.

    The reason I was blocked, I discovered, is because I had (allegedly) created two accounts, which is against the Terms and Conditions. However this is not correct. I only have (and ever had) one account which is the one I attempted to log in to.

    I attempted to contact the company and tell them this must be a mistake. I asked them to either unblock my account or delete my data. They replied (amongst many other automated responses) to tell me I have broken their Terms and Conditions by creating multiple accounts, so they will not unblock my account.

    They have also refused to delete my data, telling me that I have broken their Terms and Conditions creating multiple accounts so they are within their rights to hold on to my data as they have a legitimate interest. But how can this be right when I have not broken their Terms and Conditions as they suggest?

    Every attempt I make to prove this is just met with automatic replies telling me the decision is final. I have completed a Subject Access Request, and the data returned only shows data for the sole account I have. They have told me the other username of the account they are accusing me of creating, naturally I’ve never heard of it.

    This doesn’t seem right that I am being falsely accused of wrongdoing, and that they are able to keep hold of my personal and financial data. I have opened a case with the ICO, but what are the chances of anything happening? Are there any other steps I should be taking?

    They assure me my data will be safe, but as I’m sure news stories in the past have proved, this can never be guaranteed.
    Tags: None

  • #2
    Is the company that runs this online site located in the UK?
    Lawyer (solicitor) - retired from practice, now supervising solicitor in a university law clinic. I do not advise by private message.

    Litigants in Person should download and read the Judiciary's handbook for litigants in person: https://www.judiciary.uk/wp-content/..._in_Person.pdf

    Comment


    • #3
      Assuming this is a UK company look at the ICO guidance to organisations on "legitimate interest" [LI] as a legal reason for retaining data:

      Legitimate interests | ICO

      Amongst other things note that it is not sufficient for an organisation merely to blandly assert it has a LI it must "explain what these interests are". Your company appears not to have done this.

      Also note that the ICO recommends organisations carry out a LI Assessment and advises "Keep a record of your legitimate interests assessment (LIA) to help you demonstrate compliance if required."

      I would go back to them and say something along the lines that you have consulted the ICO for guidance in the light of their claim that they a legitimate interest in retaining their data and that you understand that they should explain to you exactly what their legitimate interest is. Please will they provide you with this explanation within the next 'x' days. You also understand from ICO that should have completed a Legitimate Interest Assessment to demonstrate compliance with the Data Protection Act and ask them for a copy of it.

      My understanding is that if they rely on a generic assessment it should be explained in their published privacy policy. But if they did an assessment specifically in relation to you it is data about you and should be disclosed in the SAR.

      Bear in mind that ICO guidance is what ICO think is good practice and is not always required by law
      All opinions expressed are based on my personal experience. I am not a lawyer and do not hold any legal qualifications.

      Comment


      • #4
        Thanks for the replies so far. Yes, the company concerned does have a location in the UK. They are now also accusing me of fraud, which again is not true. The latest reply from them is:

        —-

        Thank you for your patience, we have carefully reviewed your enquiry.

        As per your request, we have ensured that consents you have given in the "Cookie settings" and "Notifications" sections are revoked and your data is no longer processed for the respective purposes.

        Please note that personal data can be processed on a number of different legal bases and it's not always one's consent. Where the processing of data is based on legal bases other than consent (e.g. performance of a contract or legitimate interest), consent to such processing cannot be withdrawn – see Article 7 EU General Data Protection Regulation ('GDPR').

        As you have already been informed, you have violated the Terms & Conditions of use and therefore you have been blocked. This gives us grounds to continue processing your data on the basis of legitimate interest (Article 6(1)(f) GDPR), i.e. for the purpose of protecting the platform and other members from individuals who violate the Terms & Conditions of use. [As you had transactions via our payment service providers, we keep some of your data for 13 months from the day of the transaction to defend against possible payment disputes on the basis of a contract (Article 6(1)(b) GDPR).] [Also, since you had transactions on our platform, we are also legally obliged to store some of your data for accounting reasons (Art. 6 (1) (c) GDPR)].]

        As the further processing of your data is not based on your consent, the withdrawal of it is not applicable. Please be kindly reminded that the withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal (Article 7(3) GDPR).

        The above arguments also imply that your request does not contain the grounds required to exercise the right set out in Article 17 GDPR.

        But no need to worry: your data associated with your account is scheduled to be permanently deleted as soon as the time limits set out in our Privacy Policy (LINK) expire. Until then, you can rest assured that your data is safe with us and is handled in strict compliance with legal requirements.

        Our response is based on applicable legislation. However, if you believe it infringes the GDPR or other laws in effect, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, and seek a judicial remedy.



        Surely they can’t just falsely accuse me of creating multiple accounts and frauds, not allow me to refute these claims, and then claim that is the legitimate interest?

        Comment

        View our Terms and Conditions

        LegalBeagles Group uses cookies to enhance your browsing experience and to create a secure and effective website. By using this website, you are consenting to such use.To find out more and learn how to manage cookies please read our Cookie and Privacy Policy.

        If you would like to opt in, or out, of receiving news and marketing from LegalBeagles Group Ltd you can amend your settings at any time here.


        If you would like to cancel your registration please Contact Us. We will delete your user details on request, however, any previously posted user content will remain on the site with your username removed and 'Guest' inserted.
        Working...
        X