Since a week, we’ve been receiving “GDPR information requests” at the office on our privacy@<domain> address. Nothing illegal about that. Every data subject has the “right to access” under the GDPR regulation: ask a data controller company what information they have on them, and then optionally ask to delete some or all of that data.

Now the thing is: these requests seem ‘suspect’:

  • we are a Belgian B2B company, serving only Belgian customers. Still, these requests come from consumers in France, Germany … but not really from Belgian subjects
  • the requests come from email addresses with domains like electronicprivacy.eu, rgpd.guru, webflip.eu, yauo.me – and all these domains have only been registered on 18 Oct 2018, about a week before the requests started coming in. All the domains were registered through Gandi.net, a big French domain registar.
  • all the emails contain a similar footer “If this email is not for you, please inform me : not for me” and the ‘not for me’ link almost always points to the l.electronicprivacy.eu domain.
  • the emails don’t look like emails written by real people.

So this is my theory:

  • Someone scraped the web for all privacy@<domain> addresses.
  • That person/organisation is now sending (unsollicited) emails for GDPR data requests to all these privacy addresses.
  • There is little chance of there being any data to review, since the email addresses cannot be older than 18 Oct 2018.
  • I suspect the ‘mother’ domain is electronicprivacy.eu. There is no ‘www’ website yet.
  • I suspect the goal is to compile statistics on how companies treat GDPR data requests. Maybe do some naming and shaming.

The organisation behind this initiative is virtually impossible to find, because all domains were registered with Gandi Private Whois protection, Eurid (the registrar behind .eu domains) gives out no information about registrants, and the HTTPS works with LetsEncrypt (so no domain owner information in the SSL certificate).

The irony of the whole thing is obviously is that someone is sending unsolicited email (a.k.a. spam) to companies under the pretense of sending GDPR requests. Does anybody else get these requests?