Knowledge Base

Since GDPR is here now....

Started by: i_like_pokemon
On: 05/07/2018 | 22:41
Replies: 16

by: i_like_pokemon
on: 05/07/2018 | 22:41 edited: 08/07/2018 | 19:01

I think it is time to give user options to delete their account/s. 

Message 1 of 17
by: cazaline71
on: 05/07/2018 | 23:55



Technically, if you really wanted to, you could write to them and ask them:


Under Article 17 of the GDPR individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances.


You can read more on this here:


As per the DPA 2018, the data controller (giffgaff), has information on us (the data subject)


I don't know how the GDPR and the DPA 2018 have changed, but I assume that the 8 data principles are largely the same, hence giffgaff cannot "keep data longer than is necessary" and this can often be a period of two years or more, depending on the circumstances. 


Again, I have no qualifications in law, and I don't know a lot about all this, I just find it interesting and I'm just stating stuff I have found, correct or incorrect. There's probably a disclaimer about this in giffgaff's T&Cs that explain how they process your data and how long they keep it

No trees were destroyed in the sending of this message, however, a significant number of electrons were terribly inconvenienced.
Message 2 of 17
by: jeremylalou
on: 06/07/2018 | 00:00
Good point.
Message 3 of 17
by: otbc11
on: 07/07/2018 | 09:46
Does it really matter having an account which you no longer use although I do understand that some members might top up the wrong account.
Message 5 of 17
by: endorphin
on: 07/07/2018 | 11:27

Hi @i_like_pokemon you can ask an agent to delete your data using this form


However giffgaff can retain any information which it deems to be commercially important.

Get a free giffgaff SIM/microSIM/nanoSIM with free £5 credit
Message 6 of 17
by: gem925
on: 07/07/2018 | 22:15

Its a good call, but also itemised bills then too?>

Message 7 of 17
by: k89bpa
on: 07/07/2018 | 22:54 edited: 07/07/2018 | 23:34


That's not actually true. To retain information companies need to prove they have a "lawful basis" for doing so. "We want to because it's valuable to us!", is not a lawful basis as defined by GDPR or DPA.

The simplest way for people to tackle nonsense from companies is to feed them false information.

People don't realise that you are not actually under any legal obligation to give companies the data they request or tell them the truth when they request it.

As long as you are not attempting to or intending to commit fraud, you're good to go, you can tell them anything you want.

It's so much easier than telling the truth when filling in their stupid forms and then having to fight with them to get it removed later.

It also helps to protect you from identity fraud should websites and databases be hacked as miscreants attempting to use your details to obtain credit and documentation will fall well short of the requirements necessary to do so.

If you don't want to feed them false information because it feels like lying then just omit information, incomplete names, addresses and phone numbers, be creative, as creative as you like. Just make a note of what you hand over in case you need to use it in the future.

Treat companies with the contempt with which they treat their customers and users.

I've been doing it since 1995 without any issues whatsoever.

It gives tremendous satisfaction when you attempt to exercise your rights and a company refuses to allow you to do so knowing the information they have and are so desperate to cling onto is totally bogus.

Seriously, just make it up as you go along.


EDIT: It is also a good way to protect against identity fraud. With so many hacks happening all the time now, the more misinformation which you can spread the better as it means there is less chance of miscreants being able to use your data to cause you issues by taking services in your name. 


This is just basic common sense in this day and age. You cannot rely on companies keeping your data safe, you've got to do what you can yourself to try and make sure that you protect yourself as much as possible. 


It's almost becoming necessary to do so and it's so much easier than having to clean up a mess afterwards if you are caught out by such things. 


This, incidentally is why you should always either avoid talking about certain things online or if you do bend the truth or be vague, as that helps to protect you from social engineering attacks.


For instance if you use your favourite place as a password and then post online declaring that place to be your favourite place, you're an idiot because you've just created a possible attack vector where someone can potentially cause havoc in your life. And it's the same with all other bits of information you give away, so don't use them as passwords, or better still, when posting things online give incorrect information. 


I know that some people object to such things because it's seen as lying or misleading but if you're posting your name in one thread and declaring that it's your xxth birthday in another, and that information is correct, that's potentially all that a miscreant needs to start causing mischief in your life. 


Someone gets your email address and you've set your password recovery to the name of your pet, then posted the name of your pet online, bye bye control of your email address, (okay this is increasingly rare with two factor authentication, but it is still possible with many providers and services, some ask you for your date of birth or other information which you may or may not have shared publicly). 


It's not just for the fun of being able to stick it to companies who treat you and your rights regarding data with contempt, there's a more serious reason why you should be handing over as little accurate data as possible. 

Message 8 of 17
by: endorphin
on: 08/07/2018 | 10:43

@k89bpa wrote:


That's not actually true. To retain information companies need to prove they have a "lawful basis" for doing so. "We want to because it's valuable to us!", is not a lawful basis as defined by GDPR or DPA.

Yes it would be necessary to prove that there is a lawful requirement to retain your data. Having said that I cannot think of a situation where giffgaff would.

Get a free giffgaff SIM/microSIM/nanoSIM with free £5 credit
Message 9 of 17
by: k89bpa
on: 08/07/2018 | 13:09
@endorphin I can't comment on giffgaff specifically, they've shut me down every time I've tried.

What I can say though is that the are companies that when a new law is introduced will simply refuse to comply with it until they are forced to either by the courts or by the regulator.

They are perfectly within their rights to do so, and many companies do it all the time, but it is shocking bad customer service when they do.

That's why I advocate people only give as little true information to companies as possible and make up the rest. We've seen scandal after scandal after scandal involving companies and our data, fight back by giving them a ton of bogus data.

And do it with every single company and platform that you deal with no matter how trustworthy they seem or claim to be because appearances can be extremely deceptive sometimes. Trust none of them.

I know that's unfair on the ones who do comply with the law and respect their users/customers and their rights but even one who doesn't is enough to justify giving them all bogus data.

And like I said earlier, there are very valid security reasons for doing so as well, especially if a company is one of those who respond to laws by saying "No!", ignoring them and force customers and users to go via the regulators or court systems.

One area of GDPR which has already been clarified is the public display of personal and personally identifiable material without consent is prohibited.

ICANN tried to argue otherwise in a German court, that court slapped then immediately and hard, so although ICANN are trying to progress that further there is now case law regarding those aspects of GDPR.

If a company tries to claim contract, (terms and conditions), sorry but as ICANN are discovering to their cost, law trumps contract, and if they claim previously given consent they can't ignore the fact that consent has been removed/revoked if that is the case.

They can try and claim that removal of consent is excessive in an attempt to keep your data and keep doing whatever they want with your data, but in most cases removal means running a single database command, two or maybe three at the most which no court or regulator on the planet would deem excessive given that it's literally a 5 minute job at most.

I know that because I've done it myself back in the days when I was really into hosting and was administrating multiple websites and blogs.

Occasionally is get requests to remove all submitted information, It took me three minutes at most to action such requests after opening them, (I didn't receive many but those I did we actioned within twelve hours at the most, the majority were done within the hour, because that's good customer service, it builds a reputation as a trustworthy supplier because word spreads, so it made good business sense.).

Like I said though, is safest all round to feed bogus information wherever possible, especially from a security standpoint because then if you come across a company who won't erase your data willingly, you won't have to worry about them getting hacked because the vast majority of the data they hold will be unusable in a real world sense. It will also pollute the dataset companies collect and sell, and the more people who do it, the more useless their data collection and the profiling stemming from it becomes.

It's far safer than trusting companies and expecting them to do the honourable thing and obey the law, exposes you to significantly less risk.
Message 10 of 17