Being spammed by GDPR data requests

Since a week, we’ve been receiving “GDPR information requests” at the office on our privacy@<domain> address. Nothing illegal about that. Every data subject has the “right to access” under the GDPR regulation: ask a data controller company what information they have on them, and then optionally ask to delete some or all of that data.

Now the thing is: these requests seem ‘suspect’:

  • we are a Belgian B2B company, serving only Belgian customers. Still, these requests come from consumers in France, Germany … but not really from Belgian subjects
  • the requests come from email addresses with domains like electronicprivacy.eu, rgpd.guru, webflip.eu, yauo.me – and all these domains have only been registered on 18 Oct 2018, about a week before the requests started coming in. All the domains were registered through Gandi.net, a big French domain registar.
  • all the emails contain a similar footer “If this email is not for you, please inform me : not for me” and the ‘not for me’ link almost always points to the l.electronicprivacy.eu domain.
  • the emails don’t look like emails written by real people.

So this is my theory:

  • Someone scraped the web for all privacy@<domain> addresses.
  • That person/organisation is now sending (unsollicited) emails for GDPR data requests to all these privacy addresses.
  • There is little chance of there being any data to review, since the email addresses cannot be older than 18 Oct 2018.
  • I suspect the ‘mother’ domain is electronicprivacy.eu. There is no ‘www’ website yet.
  • I suspect the goal is to compile statistics on how companies treat GDPR data requests. Maybe do some naming and shaming.

The organisation behind this initiative is virtually impossible to find, because all domains were registered with Gandi Private Whois protection, Eurid (the registrar behind .eu domains) gives out no information about registrants, and the HTTPS works with LetsEncrypt (so no domain owner information in the SSL certificate).

The irony of the whole thing is obviously is that someone is sending unsolicited email (a.k.a. spam) to companies under the pretense of sending GDPR requests. Does anybody else get these requests?

5 thoughts on “Being spammed by GDPR data requests”

  1. Hi Peter, yes one of my customers in France is receiving exactly the same mails, with same origins. They’ve received 3 so far.
    This is indeed for me RGPD spam/trolling.
    The link in the footer is exactly the same, except the ids are different:
    1st email – mid=141472&sid=134416 from electronicprivacy[.]eu in FR (Demande d’information RGPD)
    email 2 – mid=141475&sid=134419 from rgpd[.]guru in DE (Anfrage nach persönlichen Daten)
    email 3 – mid=141473&sid=134417 from yauo[.]me in FR (ma vie privée & mes données)
    although the target email is the same “contact” address.
    If you visit the url in the link, without parameters, you get a page that tells you to click on the link in the email instead… There’s no website, as there’s probably no real entity behind.
    Unfortunately, I can’t check the email headers for the exact origin/route.
    There’s a hidden tracker in each mail, using Amazon AWS in Ireland.
    IMHO, should be reported to Gandi first.
    Sincerely
    DJM

  2. We also got thoses requests from the same domain.

    It was suspicious for us also.

    Try to access their domain like “yauo.me ” and you will understand that you may be right on the spot with your guess : “I suspect the goal is to compile statistics on how companies treat GDPR data requests”.

  3. Yes, we got identical requests and were investigating on them. That’s how I found your site.
    Thanks for the post

  4. Thanks a lot for your post, I have received exactly the 3 same emails :s
    From what I understand, we don’t do anything, right?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.