Being spammed by GDPR data requests

Since a week, we’ve been receiving “GDPR information requests” at the office on our privacy@<domain> address. Nothing illegal about that. Every data subject has the “right to access” under the GDPR regulation: ask a data controller company what information they have on them, and then optionally ask to delete some or all of that data.

Now the thing is: these requests seem ‘suspect’:

So this is my theory:

The organisation behind this initiative is virtually impossible to find, because all domains were registered with Gandi Private Whois protection, Eurid (the registrar behind .eu domains) gives out no information about registrants, and the HTTPS works with LetsEncrypt (so no domain owner information in the SSL certificate).

The irony of the whole thing is obviously is that someone is sending unsolicited email (a.k.a. spam) to companies under the pretense of sending GDPR requests. Does anybody else get these requests?

💬 privacy 🏷 gdpr🏷 spam