undefined | Better HN

0 pointsgpm5y ago0 comments

Not that this impacts your broader point, but

> the data within those 30 days

This is a common misconception. The requirement is

> GDPR information must be provided without undue delay but at latest within one month. Only in reasoned cases may this one-month deadline be exceptionally exceeded.

The operative requirement is without undue delay, one month is a maximum on the definition of undue delay, not a minimum. Intentionally delaying compliance for the better part of a month after you have demonstrated the ability to send the data within seconds would undoubtedly constitute undue delay... (Some exceptions apply)

0 comments

1 comments · 1 top-level

okamiueru5y ago

I agree. Though, in the context where I do mention this, I was pointing out the worst case that is easy to demonstrate a breach of. Spotify employee in correspondence made the mistake (and I mean this in the more business sense, as I personally find it refreshing that a correspondence is honest, rather than filled with protective legalese) of suggesting that the API would be trivial to reactivate, and thus making a case for it to be a case of causing an undue delay if not doing so. Without that, proving "undue delay" is not an easy thing to do.

Breach of this is not easy to prove, and I think that if this was to reach the court, it would be easily be dismissed if the user had their data transferred (in any form that can be processed, and not necessarily whatever was part of the original API spec) within 30 days.

Proving that undue delay was caused, is a much higher bar to meet. Again, less high due to the correspondence in question.

j / k navigate · click thread line to collapse