- not hide it trying to trick the user into "buying" something to delete their account
through if you have bought one but can not use it because someone else has an account with the hardware you bought from them then the person from which you bought it must do the deletion request for it to be covered by GDPR
and they probably could come up with some nonsense where the account is deleted by the device "stays locked" and you have to pay 20€ to unlock it for a new account
that might still be in violation of consumer protection law, but no longer has anything to do with GDPR and even in consumer protection law will be in a gray zone where you can do little but complain to official agencies
SoFlow AG
Bionstrasse 4
9015 St.Gallen
Switzerland
They are not members of the EU. Still, a well-written email in legal lingo in the country's official language helps a lot. Remember to include a reference to the relevant local law.
It doesn’t. You can block their crawler with robots.txt and send DMCA takedown requests for archived pages as the domain owner which they will honor.
Edit: I was under the wrong impression that if you specifically call out ia_archiver in robots.txt they would honor it. It’s been completely ignored since 2017.
Administrative Processing Fees are a thing of GDPR. In most cases, however, this should not be a applicable for something as simple as an SQL statement from a button.
Why is it legal to charge if they don't manually, but not of they do up front work to automate it? That would create an incentive to not automate, which would be a chilling effect.
This is weird. Their privacy policy enforcing them to delete your account. I guess it is just a catch for those who don't know what GDPR us.
4. Right to deletion
a) Obligation to delete
You may request the controller to delete the personal data concerning you without undue delay, and the controller is obliged to delete such data without undue delay, if one of the following reasons applies:
- The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.
- You withdraw your consent on which the processing was based and there is no other legal basis for the processing.
You object to the processing and there are no overriding legitimate grounds for the processing, or you object to the processing.
- The personal data concerning you have been processed unlawfully.
The deletion of the personal data concerning you is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject.
The personal data concerning you was collected in relation to information society services offered pursuant to Art. 8 (1) DSGVO.
It’s meant to take on the large/multiple offenders; if they get enough complaints about 1 company and after warnings that company doesn’t change, they will fine.
they could fine without warning and IMHO they should start doing so it's the law isn't new isn't complicated to roughly get right for 99% of companies so there is no longer reason to go easy on companies which seem to very knowingly give a shit (independently of weather it actually was knowingly)
That would make it more like the US with over litigation, companies hiring people to find competitors in violation and going by the letter instead of the intent of the law. Also; the gdpr is large and complex but the intent is pretty clear; if we start to go by the letter, very many companies are unknowingly in violation but cannot afford consultants. They don’t abuse the data ; they just store too much for instance. It would be very strange if they get fined immediately; they will have 0 complaints over their existence probably, so a warning would suffice.
The companies that don’t give a shit aka ignore warnings from the overseer in their country, will get fined; small or big. It works fine.
also too little clarification for "predictable edge cases and ways companies try to circumvent" had been put in law upfront (laws some a form of comment section into which such things can be placed, most times as result of previous court decisions)
and from the resources which are available too many are bound in large companies bullshitting around by trying to delay enforcement by a very obvious misinterpretations of the law and huge legal teams/founds to delay and delay and delay
It might be similar to how credit report agencies have to provide the reports for free under GDPR, but not before trying to make you pay twenty different ways.
>but not before trying to make you pay twenty different ways.
This itself is illegal. It must be simple and straightforward. EU laws broadly do not tolerate the rules lawyering popular in the US, companies know what the intent is and playing games will not work out in their favor.
First time I opened the page, it redirected me away. Second time, it stayed on the product page. Third time, it redirected me away but the back button could return me to the subject of this thread. Subsequent attempts didn't even give me that.
It's been there for a long while, doesn't look like a test item. My guess is they're trying to take it down, but cache hits along the way bring it back for now.
Well, there can be administrative fees. It is a right, but that does not imply that it is cost-free. As a EU citizen you have the right to settle in france, but the registration process in the village you need to pay.
No if you operate in the EU you have to comply that's it. If you buy something from Joe the farmer in PA, you are the one importing it (you are paying the custom duties) and Joe the farmer doesn't have to comply with anything related to GDPR. If Joe the farmer wants to sell directly its product in the EU (not from the US) then he has to comply.
You can break a country’s laws depending on whether or not you are ever going to go to that country, or what treaties your country has signed which might cause it to enforce other countries’ laws.
These GDPR conversations tend to pointlessly go back and forth on this because one side is describing the GDPR from the point of view of: what does the law say? The other is looking at it from the point of view of: I only have to follow my country’s laws.
The latter is closer to correct in some technical sense; laws have finite jurisdictions. But the EU has a big market and so lots of entities play ball with them, to some extent, in general, so it is probably better for most people to comply.
I think the idea is that the GDPR requires that companies allow users to delete or correct data about them.
And the GDPR scope is determined by the user, not the company. You can have your company based on the far side of the moon, with 99.99% of your users based on mars. For that one user that is living in Europe (note : living, not nationality) the GDPR applies.
Mind you, I'm not sure that the GDPR says that you can't charge for that. As long as you can justify that the amount is in relation to your expenses, my bet would be that a judge will allow it.
If they only sold their products in Switzerland, sure. But once they operate in EU countries, they must respect EU laws (for those costumers, at least).
Switzerland is part of the EU Internal Market through the EEA though and therefore has to implement many laws like this. It just doesn't have a say in them.
Switzerland's a bit of an oddity; it's actually not in the EEA, but in EFTA. It's not subject to the ECJ, but to EFTA Court (which is definitely not the ECJ wearing false moustaches). And it's not subject to the GDPR, but it has a law aligned to the GDPR.
EDIT: No, I'm wrong; while EFTA Court used to be based in Switzerland, Switzerland is no longer subject to it. It still exists, but only for EFTA members who are also EEA members. This whole thing is impossible to keep track of.
Switzerland isn't in the EEA either as they rejected EEA membership in a vote in '92.
Instead they have a weird patchwork of bilateral treaties that are designed to look pretty much like EEA membership if you squint just right, and look like just bilateral treaties in separate areas if you squint a bit differently. They're linked, and at least the first seven have a "guillotine clause" so they all cease to apply if one of them is canceled, so in practice Switzerland is practically like an EEA member, but they get to pretend it's all very different.
There are some clear differences, though, and there have been years of negotiations trying to reduce them without success.
I don't know what point you are trying to make with your snark, but bilateral treaties are much easier to alter or cancel if one party so desires, and public opinion in Switzerland is that they were definitely the right choice and the way to go forward. They are actively being negotiated.
The point is that it was constructed largely as a convenient a fiction intended to mollify the Swiss electorate after they voted no to the EEA, as the bulk of the "separate" bilateral treaties can't be separated, altered or cancelled without all of them being canceled by the guillotine clause, as Switzerland has already found out once, so there is no difference in the difficulty of cancellations, for example - you cancel one thing, and everything unravels in either case.
They are actively being negotiated because both Switzerland and the EU have realised there's a need to reform the original treaties, and the EU for a decade now have insisted that anything replacing them need to be closer to the EEA agreement, while having made clear they're not doing this crazy thing again for anyone else.
Well, judging by how incredibly many EU citizens emigrate to Switzerland, which is directly caused by the bilateral treaties, there's certainly interest from both parties to negotiate. Switzerland also pays raw cash to the EU as part of the deal.
I'm not sure how long the EU can afford to further alienate countries that pay net positive into it's wallet, after losing the UK and the continuing rise of euroscepticism.
The current round of negotiations were directly triggered by Switzerland trying to restrict freedom of movement and realizing they couldn't do that without cancelling all the treaties.
The EU can afford to stick to its guns in this indefinitely. It's made it clear for a decade that any change to the treaties with Switzerland can contain minor concessions, but only in return for a bet reduction in the deviations from the EEA framework.
With respect to euro scepticism, that largely fell apart thanks to Brexit - most of the parties arguing for the same for their countries have moderated their stances significantly, and support for the EU increased massively. Including in the UK where Brexit is widely seen as a massive mistake, and it's more a question of electoral calculus (neither of the big parties can afford to alienate the Brexit diehards yet; they're spread across the political labdscape) than anything else when rejoining gets in the political agenda.
As an addition re: the reduction in euroscepticism, according to Pew Research, between 2016 and 2019, the proportion of people with a favorable view of the EU rose 26 percentage points in Greece, 19 in Germany, 19 in Spain, 18 in Sweden 15 in the Netherlands, 13 in France, 12 in Poland, 10 *in the UK, 6 in Hungary. In 2022, a EU parliament survey showed overall support for the EU across member states was at a 15 year high, also much thanks to the Brexit bounce. In 2023, the European Parliament Eurobarameter - Autumn 2023 survey showed 72% of EU citizens think that their country has benefited from being a member of the EU, and only 22% thinks it has not.
IANAL, but I don't see any requirement of it having to be "free". I probably miss something. And It would seem very much against the spirit, but is a company really not allowed to charge fees for "deleting"?
This is a sever breach of GDPR, so is their practice to use the information you give them when ordering for other things then processing your order without an explicit non required opt-in on your part.
Furthermore in the past when GDPR was new, judges where often quite lenient when it came to enforcement of first offenders but that is increasingly less the case. And which such bland consumer abusive business practices they might be in for a really bad awakening (if they sell to the EU).
Additionally given all that I wouldn't be surprised if their website is also committing GDPR violations.
Also even if they have free GDPR deletion "hidden somewhere" that still would be a violation of GDPR as it has been clarified by judges in other cases (related to information requests instead of deletion).
Do you have a source for this? I remember people talking about it being possibile for them to do (and now redact.dev even replaces old comments with randomly-generated sentences) but I don't recall them being caught actually doing it.
It's a 'misunderstanding' of how reddit works. It turns out that you can't delete comments from subreddits that are private without the required posting permission flag.
So when subreddits went 'dark' during the protest, and then people deleted their comment history, the messages on the dark subreddits came back when the protest ended and the subreddit became public again. At that point you can just delete the comments again of course, unless you deleted your account, in which case those necromanced comments stay undead forever.
An 'unfortunate bug' with deleting comments they told me when I asked them about my full comment history (edited to be empty and subsequently deleted) being restored. Many of those subreddits did not participate in the protests.
When ordering two of those items (which is kinda weird) i noticed the following:
“ Your personal data will be used to process your order, support your experience throughout this website, and for other purposes described in our privacy policy.”
Does this mean while processing my order, the account removal, they update or recreate the account? :)
The account thing seems to be an issue for people who buy e-scooters on the secondary market (i.o.w. used). Often, the scooter is still tied to the previous owner's app.
I've found forum posts of people resorting to using the email/password from the previous owner, or sending a registered letter to SoFlow asserting the new ownership.
So, and now I'm speculating, it's possible that this is less about deleting the account than it is about unlinking a scooter from your account, and it is a way for SoFlow to dip into the secondary market -- each transfer nets them another 20 EUR.
It's also possible that this is a way for the new owner to unlink their scooter from the previous owner, with an associated service charge -- the checkout page requires proof of ownership. In that case, it might be a way to prevent fraud, i.e. people stealing scooters and resetting them; thieves are unlikely to pay 20 EUR for that, nor are they keen on tying their real identity to the stolen scooter.
Like I said, this is speculation and I'm not saying this is a good way to do it, and it's not at all explained on the website, I'm just thinking aloud here. It just seems unlikely that anybody would attempt to charge 20 EUR for a simple account deletion.
I took it that he was being sarcastic in that comment. Only the mafia would charge you for making you the favor of removing you a problem that themselves created.
Monetization of churn? Nice try marketeers, you gave me the fatal argument I needed to never sign up. Just because you revealed your values with that proposal, I know I never want any relationship with that.
Considering its a company established in Switzerland, and that by Swiss law you have the right to informational self determination, as in you have the right to correct/delete data about you (to some extend ofc), I'd say its grossely illegal
Company location does not matter for this — if you sell goods internationally, you must obey consumer laws wherever you sell them, instead of wherever your business is located
I thought this had to be an April Fools' Day joke but upon checking the source, it shows the page was last modified on 2023-11-14. It's even more hilarious (in a sad way).
BTW there are European banks that have fees for account closure (and for cancelling credit/debit cards; and for stopping standing payment orders; and maybe for cancelling SEPA mandates).
116 comments
[ 2.7 ms ] story [ 166 ms ] thread- provide it for free and process it in due time
- not hide it trying to trick the user into "buying" something to delete their account
through if you have bought one but can not use it because someone else has an account with the hardware you bought from them then the person from which you bought it must do the deletion request for it to be covered by GDPR
and they probably could come up with some nonsense where the account is deleted by the device "stays locked" and you have to pay 20€ to unlock it for a new account
that might still be in violation of consumer protection law, but no longer has anything to do with GDPR and even in consumer protection law will be in a gray zone where you can do little but complain to official agencies
SoFlow AG Bionstrasse 4 9015 St.Gallen Switzerland
They are not members of the EU. Still, a well-written email in legal lingo in the country's official language helps a lot. Remember to include a reference to the relevant local law.
Some leads: https://www.ey.com/en_ch/law/a-new-era-for-data-protection-i...
It could just let you delete an arbitrary account ;)
Edit: I was under the wrong impression that if you specifically call out ia_archiver in robots.txt they would honor it. It’s been completely ignored since 2017.
https://web.archive.org/web/20230324031319/https://www.soflo...
I guess things are improving?
In the UK it's showing the initial link as costing £ 29,90.
'rip off Britain' I guess.
4. Right to deletion
a) Obligation to delete
You may request the controller to delete the personal data concerning you without undue delay, and the controller is obliged to delete such data without undue delay, if one of the following reasons applies:
- The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.
- You withdraw your consent on which the processing was based and there is no other legal basis for the processing. You object to the processing and there are no overriding legitimate grounds for the processing, or you object to the processing.
- The personal data concerning you have been processed unlawfully.
The deletion of the personal data concerning you is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject.
The personal data concerning you was collected in relation to information society services offered pursuant to Art. 8 (1) DSGVO.
The companies that don’t give a shit aka ignore warnings from the overseer in their country, will get fined; small or big. It works fine.
the problem is violations are just far to many
the reporting of them spotty
and the processing is far too slow
also too little clarification for "predictable edge cases and ways companies try to circumvent" had been put in law upfront (laws some a form of comment section into which such things can be placed, most times as result of previous court decisions)
and from the resources which are available too many are bound in large companies bullshitting around by trying to delay enforcement by a very obvious misinterpretations of the law and huge legal teams/founds to delay and delay and delay
This itself is illegal. It must be simple and straightforward. EU laws broadly do not tolerate the rules lawyering popular in the US, companies know what the intent is and playing games will not work out in their favor.
Same with the DMA - Apple is blatantly acting in bad faith and contempt of the regulations and have yet to see a fine.
There are circumstances where they can charge a 'reasonable fee' for processing a Subject Access Request.
also having a payed deletion and a hidden free GDPR complilant deletion is also not legal
Is this a real product, or a test item?
Well, looks like they took this too literally and put actual price on "your privacy".
These GDPR conversations tend to pointlessly go back and forth on this because one side is describing the GDPR from the point of view of: what does the law say? The other is looking at it from the point of view of: I only have to follow my country’s laws.
The latter is closer to correct in some technical sense; laws have finite jurisdictions. But the EU has a big market and so lots of entities play ball with them, to some extent, in general, so it is probably better for most people to comply.
And the GDPR scope is determined by the user, not the company. You can have your company based on the far side of the moon, with 99.99% of your users based on mars. For that one user that is living in Europe (note : living, not nationality) the GDPR applies.
Mind you, I'm not sure that the GDPR says that you can't charge for that. As long as you can justify that the amount is in relation to your expenses, my bet would be that a judge will allow it.
EDIT: No, I'm wrong; while EFTA Court used to be based in Switzerland, Switzerland is no longer subject to it. It still exists, but only for EFTA members who are also EEA members. This whole thing is impossible to keep track of.
https://en.wikipedia.org/wiki/File:Supranational_European_Bo...
Instead they have a weird patchwork of bilateral treaties that are designed to look pretty much like EEA membership if you squint just right, and look like just bilateral treaties in separate areas if you squint a bit differently. They're linked, and at least the first seven have a "guillotine clause" so they all cease to apply if one of them is canceled, so in practice Switzerland is practically like an EEA member, but they get to pretend it's all very different.
There are some clear differences, though, and there have been years of negotiations trying to reduce them without success.
They are actively being negotiated because both Switzerland and the EU have realised there's a need to reform the original treaties, and the EU for a decade now have insisted that anything replacing them need to be closer to the EEA agreement, while having made clear they're not doing this crazy thing again for anyone else.
I'm not sure how long the EU can afford to further alienate countries that pay net positive into it's wallet, after losing the UK and the continuing rise of euroscepticism.
The EU can afford to stick to its guns in this indefinitely. It's made it clear for a decade that any change to the treaties with Switzerland can contain minor concessions, but only in return for a bet reduction in the deviations from the EEA framework.
With respect to euro scepticism, that largely fell apart thanks to Brexit - most of the parties arguing for the same for their countries have moderated their stances significantly, and support for the EU increased massively. Including in the UK where Brexit is widely seen as a massive mistake, and it's more a question of electoral calculus (neither of the big parties can afford to alienate the Brexit diehards yet; they're spread across the political labdscape) than anything else when rejoining gets in the political agenda.
As an addition re: the reduction in euroscepticism, according to Pew Research, between 2016 and 2019, the proportion of people with a favorable view of the EU rose 26 percentage points in Greece, 19 in Germany, 19 in Spain, 18 in Sweden 15 in the Netherlands, 13 in France, 12 in Poland, 10 *in the UK, 6 in Hungary. In 2022, a EU parliament survey showed overall support for the EU across member states was at a 15 year high, also much thanks to the Brexit bounce. In 2023, the European Parliament Eurobarameter - Autumn 2023 survey showed 72% of EU citizens think that their country has benefited from being a member of the EU, and only 22% thinks it has not.
This is a sever breach of GDPR, so is their practice to use the information you give them when ordering for other things then processing your order without an explicit non required opt-in on your part.
Furthermore in the past when GDPR was new, judges where often quite lenient when it came to enforcement of first offenders but that is increasingly less the case. And which such bland consumer abusive business practices they might be in for a really bad awakening (if they sell to the EU).
Additionally given all that I wouldn't be surprised if their website is also committing GDPR violations.
Also even if they have free GDPR deletion "hidden somewhere" that still would be a violation of GDPR as it has been clarified by judges in other cases (related to information requests instead of deletion).
19.90€/month to keep being deleted. Otherwise we will restore your account
So when subreddits went 'dark' during the protest, and then people deleted their comment history, the messages on the dark subreddits came back when the protest ended and the subreddit became public again. At that point you can just delete the comments again of course, unless you deleted your account, in which case those necromanced comments stay undead forever.
A week later (after my account was deleted and inaccessible) my full comment history was restored.
Reddit's official response is that it was 'an unfortunate bug' and there's nothing they could do.
Turns out is is 'deactivated' which is certainly different from deleted.
:/
“ Your personal data will be used to process your order, support your experience throughout this website, and for other purposes described in our privacy policy.”
Does this mean while processing my order, the account removal, they update or recreate the account? :)
I've found forum posts of people resorting to using the email/password from the previous owner, or sending a registered letter to SoFlow asserting the new ownership.
So, and now I'm speculating, it's possible that this is less about deleting the account than it is about unlinking a scooter from your account, and it is a way for SoFlow to dip into the secondary market -- each transfer nets them another 20 EUR.
It's also possible that this is a way for the new owner to unlink their scooter from the previous owner, with an associated service charge -- the checkout page requires proof of ownership. In that case, it might be a way to prevent fraud, i.e. people stealing scooters and resetting them; thieves are unlikely to pay 20 EUR for that, nor are they keen on tying their real identity to the stolen scooter.
Like I said, this is speculation and I'm not saying this is a good way to do it, and it's not at all explained on the website, I'm just thinking aloud here. It just seems unlikely that anybody would attempt to charge 20 EUR for a simple account deletion.
Same thing as when you get 3 for the price of 2, which is also not a huge deal despite what you might think.
PS: Oh wait, States...