“Questions About GDPR Data Access Process” Spam from Virginia

The other day, I received the following email:

Subject: Questions About GDPR Data Access Process for [DOMAINNAME]
To Whom It May Concern:

My name is [REDACTED], and I am a resident of Roanoke, Virginia. I have a few questions about your process for responding to General Data Protection Regulation (GDPR) data access requests:

  1. Would you process a GDPR data access request from me even though I am not a resident of the European Union?
  2. Do you process GDPR data access requests via email, a website, or telephone? If via a website, what is the URL I should go to?
  3. What personal information do I have to submit for you to verify and process a GDPR data access request?
  4. What information do you provide in response to a GDPR data access request?

To be clear, I am not submitting a data access request at this time. My questions are about your process for when I do submit a request.

Thank you in advance for your answers to these questions. If there is a better contact for processing GDPR requests regarding [DOMAINNAME], I kindly ask that you forward my request to them.

I look forward to your reply without undue delay and at most within one month of this email, as required by Article 12 of GDPR.

Sincerely,

[REDACTED]

It’s a confusing email, but as it turns out, one received by many other website owners. In fact, there’s a thread about it on Reddit.

GDPR deals with processing personally identifiable information. Non-compliance can lead to stiff fines. It even applies to companies outside the EU if they process personal data of EU residents.

If you get a request regarding personally identifiable information from a EU resident, you will need to answer promptly or responsibly or you can face fines. However, no such requirement exists under GDPR regarding data of individuals outside the EU.

I don’t know what the intention of the sender of this email email is, but I have my suspicions.

The email was sent from an address at “potomacmail.com”, a recently registered domain (2020-03-02). It was sent from an Amazon EC2 host (52.23.113.96). The HTML portion of the email contains an image reference to a single pixel “web bug”, an image loaded from the potomacmail.com website that will cause the IP address of the browser to be logged on that server when you open the email with a web client that doesn’t automatically block images from untrusted senders:

https://potomacmail.com/p.png?req=GDPR&target=1234

The URI contains a unique value (it was something other than 1234 in my case) that presumably identifies the recipient of the email. In other words, the senders of this email themselves collect personally identifiable information which, if the recipient happens to be in the EU, is subject to GDPR and its potential fines.

Leave a Reply

Your email address will not be published. Required fields are marked *