I am receiving weird emails regarding GDPR from electronicprivacy.eu

Question

Since a week, I am getting some French emails. Since I don't know French I used google translate to know what is this about:

Email 1:

Bonjour,

En application de mon droits d’accès et d’informations sur les traitements de données personnelles me concernant, je souhaites obtenir de votre part la confirmation que vous n’avez pas dans vos bases de données ou celle de vos sous-traitants d’informations liées à mon email. Ma démarche fait suite à la réception de spam alors que l’usage de cette adresse email est extrêmement limité; ainsi je souhaites que la procédure de recherche se limite à mon email et aux données que vous ou vos sous traitants pourraient avoir associées.

Je ne souhaites pas accéder aux données de compte ni à des données liées à une identité physique. Ainsi je vous demande de procéder au contrôles sur la base de ma propriété de cette email sans autre procédure de contrôles qui seraient excessives au regard de ma demande.

Dans l'éventualité où des données me concernant seraient détectées...je vous demande de me préciser la source d’obtention de ces données et les traitements et partagent associés.

Dans l'attente de votre retour

Email 2:

Je me permet de vous relancer concernant ma demande d’accès aux données liées à mon email datant de la semaine dernière. Avez vous bien reçu ma demande? Vous avez légalement 1 mois pour me répondre. Dans la mesure ou ma demande est simple et limitée,le prolongement d’un mois du délais de réponse me semblerait plutôt inapproprié.

Dans l’attente d’un retour de votre part.

So basically, this person is asking me if I process his data (I don't have any business in France) in my app, which is targeted to different country.

I did not respond to this email, thinking it was kind of a spam, however the second email says that I should respond to the first email and I have 1 month to do so.

My questions are, what is this? Am I obliged to respond with 1 month to such emails? I don't know French, so officialy I can reply: I don't speak French, so no idea what you want. If he starts talking in English, I can do the same, telling I don't speak English :)

All the emails comes from electronicprivacy.eu.

Answer 1

Just got the exact same-very-bad-written-in-French email. I do have a business (canadian based, but we are mostly working with large companies abroad). It smells very fishy... phishing?

Found this website (in French of course)

https://www.cnil.fr/fr/professionnels-comment-repondre-une-demande-de-droit-dacces

It says : « Quels justificatifs demander ? Pour exercer ses droits, la personne doit justifier de son identité. Par principe, cette justification peut intervenir « par tout moyen ». Ainsi, il n’est pas nécessaire de joindre une photocopie d’un titre d’identité en cas d’exercice d’un droit dès lors que l’identité de la personne est suffisamment établie (par exemple, par la présentation d’un numéro client ou des éléments permettant d’identifier des abonnés à un service). Par ailleurs, dans un environnement numérique, le fait d’exercer ses droits depuis un espace où la personne s’est authentifiée peut être suffisant, en fonction des données d’identité numériques demandées (par exemple FranceConnect). Néanmoins, si vous avez un « doute raisonnable » sur l’identité du demandeur, vous pouvez lui demander de joindre tout autre document permettant de prouver son identité, comme par exemple, si cela est nécessaire, une photocopie d’une pièce d’identité. En revanche, vous ne pouvez pas exiger systématiquement de telles pièces justificatives, lorsque le contexte ne le justifie pas. Il est par exemple disproportionné d’exiger automatiquement une copie de la pièce d’identité si le demandeur effectue sa démarche dans un espace où il est déjà authentifié. Une pièce d’identité peut toutefois être demandée en cas de suspicion d’usurpation d’identité ou de piratage du compte par exemple. Le niveau des vérifications à effectuer peut varier en fonction de la nature de la demande, de la sensibilité des informations communiquées et du contexte dans lequel la demande est faite. »

So basically, ask for a Client Number or anything that could identify the person asking for sensitive data. That should solve the problem; if it's phishong, the person will send you a fake Client Number then you can decline its demand or you'll get no reply to your email. Either way, you'll be safe if ever this email was legit.

Answer 2

According to GDPR's extremely broad phrasing all EU citizens have this right to request their data even from companies that do not have any physical holdings in the EU. This is a proper request under that regulation. I would say if you have data pertaining to the email address in question provide that data to that email address. If the data is of an extremely sensitive nature I would perhaps correspond with the person asking for the data to verify their identity in other ways before sharing. Finally make sure any data you share is done in a secure encrypted way (GDPR recommends setting up a self-serv TLS encrypted portal for this purpose)

Answer 3

French citizen here !

The request if I understand correctly seems to be about asking which informations you have on this email. GDPR request are legitimate and you have to take them into consideration even if your business is not EU oriented. In other word, you have to comply with this user request (if you really have any information on this email) and find a way to answer him, even if you don't speak French. Otherwise, this user could sue your company and you might be fined.

electronicprivacy.eu seems to be a kind of "patrol" checking the actual state of GDPR compliant websites. I don't know their final aim but you should consider replying to them as they might be building some kind of GDPR compliant 'ranking' or whatsoever. This being said, it is very very unlikely that it will have any other impact on your business.

If your business is not oriented EU users and you do not want to comply with GDPR, then you have to block them (by blocking their IP address).

Answer 4

Effectively GDPR request are legitimate in Europe but don't reply to this mail. It's a spam fishing. See that on @rosebirdpro and https://twitter.com/Security_Hack3r/status/1060294795501989888

Engaged citizen LOL Bye

Answer 5

Their website explains this:

Hey, our email looks suspicious?

Don’t worry, we are not doing SPAM toward DPOs. We are going around sites testing the information processes for citizens on “my personal data“. We only have 4 emails for which we request access to information.

If you are not DPO, we apologize for the inconvenience. You can simply inform us using the link at the bottom of the email we sent you and we will not send you email anymore.

If you are DPO and you found the email suspicious, it's probably because we have automated the process: we are trying to ask all websites and it takes quite a lot of time. Our requests are legit. If you find that they are not, you can ask us not to send you mail using the link at the bottom of the email we sent you. We will put you in the refusal category for our study and will respect your choice.

If you are DPO and you are curious to know more about what we do, you can send us your email here and we can discuss it directly.

So this is not a private EU citizen requesting what data you have of them.
People do have the right to ask a third party to make these kind of requests. From e.g. the UK ICO page about GDPR Individual Rights:

What about requests made on behalf of others?

The GDPR does not prevent an individual making a subject access request via a third party. Often, this will be a solicitor acting on behalf of a client, but it could simply be that an individual feels comfortable allowing someone else to act for them. In these cases, you need to be satisfied that the third party making the request is entitled to act on behalf of the individual, but it is the third party’s responsibility to provide evidence of this entitlement. This might be a written authority to make the request or it might be a more general power of attorney.

It does however not seem that this electronicprivacy club is doing that; they just seem so be spamming random site owners. What for? Well, the text says it's a study.

Ignore them.
Or ask them what study. They probably want to publish a report on the state of GDPR implementation as they see it. Which would be for their own benefit, so you could even consider this spam: even if they were asking you to participate in the study it would be spam.
Or point them to the regulations and ask on who's behalf they are doing the request (as lolablindfold suggested). They will probably not answer.

This thing looks fishy anyway:

• Nowhere on their site are they telling more; or who they are.
  Yes, you can subscribe to their MailChimp email list; more data collecting from their side.
• They place one or two cookies on your system without asking for consent.

Answer 6

I received this e-mail too from firstname.lastname@electronicprivacy.eu.()That e-mail address isnt in my database and I never saw it before. And it is not a customer of us and it is not in our mailing list. So it feel like spam from their site and maybe a try to place malware on your computer as far as they ask you to click on their links to answer and not "just" ask for answer with reply. () to avoid any recognize I am so polite te change his name into firstname.lastname.