[JumpCrisscross]

> Developers have to have mechanisms in place to delete gdpr data when required and not store data that's not required for you goals

Purely anecdote, but zero companies I know in Germany, Italy or France are doing this. (The ones in Switzerland are.)

There is a cosmetic fix that produces an email so there is something to show a regulator if they come knocking. The logic being investing anything more than that is a crap shoot, given nobody knows how each of the EU’s 28 data regulators will interpret the rules.

[nolok]

You must work with some pretty poorly organised companies. I work with a lot of French, Belgian and German companies and they pretty much all have proper procedures and tools for this.

In France in particular the right to access/change/delete any and all data a company has on you was there long before GDPR (by decades) so most serious company are well used and prepped for it.

[JumpCrisscross]

> pretty poorly organised companies

They range from start-ups to national champions, but I won't disagree with you on the poor organization of most European companies point. Everyone one re-papered existing systems to some degree of compliance. Given nobody agrees on what full compliance is, they're all right in their own ways.

[nolok]

I wasn't making a point about European companies in general but about the ones You work with personally. Because they don't seem to be like the usual norm for European companies, that do have procedures and tools for this, unlike in your experience.

[kaftoy]

Also pure anecdotal, I have had GDPR interactions with EPIC Games (asked them to delete my account) and Blizzard Entertainment (asked them to retrieve my data). Both went well. The interaction with EPIC was manual, I had to send an email and got back what it looked like a personalized e-mail. Account seemed to be deleted.

With Blizzard it went a bit different. They do have online automated tool to download your own data, but with a twist: they refused to provide what they consider security risk information. They did provide a lot of data (even years old chat logs) but did not provide the information I was looking for: list of processes running on my PC, which they scan periodically, as an anti-cheating mechanism. I went further and filed a GDPR infringement complaint to the national office but it failed. Last option was to sue, but I gave up.

Both Epic and Blizzard are US based.

[cosmodisk]

Why did it fail,may I ask? Epic and Blizzard are US based but do significant business in the EU, so lots of stuff would apply to them.

[kaftoy]

It failed because, based on the evidence I have submitted to the national authority for data protection (the national entity enforcing the gdpr), they were not able to rule in my favor. In the e-mail exchange between me and Blizzard, they declared they store process data anonymized, but I don't believe it, since based on that data they decide to ban real game accounts (which are linked to real personal data). Going to trial just to try to prove a point wasn't worth it for me, but at least I have seen the national authority for data protection actualy reading the documents I have submitted, fundamenting their ruling with quotes from them.

[yoz-y]

The companies in France in worked for all did substantial work to comply with GDPR.

[JumpCrisscross]

Everyone did substantial work. But the net effect was making binders of policy and PowerPoint presentations. It’s an “impress a regulator” scheme. Not a hard requirements test, nor a private liability one.

[the_duke]

Many companies invested a lot of time.

But from what I have seen, most of that time was spent on the legal and policy site, not on actually implementing the technical changes required to properly handle, store and delete data.

I can absolutely guarantee you that the overwhelming majority EU companies could not properly carry out a GDPR deletion request.

[dtx1]

That's great news if any of these companies cannot or won't reply to your GDPR Deletion Request you can grab a default payment of at least 1k Euro just for that. Please name them, maybe i hit the jackpot with one of them

[dkersten]

My previous client is a reasonably large Swedish company with a big German presence and they took GDPR (and data protection in general) EXTREMELY seriously. I know because, outside of the training, I sat in on a few audit meetings.

[kergonath]

French companies do this. They did it before GDPR mostly.

[nolok]

Agreed, the right to access/change/delete any and all information a company stores on you predates GDPR by decades in France. It's not a new thing.